Carding 4 Carders
Professional
The imaloader loader interacts with emails in a clever way to deploy malware.
An Iranian hacker group under the pseudonym Tortoiseshell (literally "turtle shell") was spotted by PwC specialists in a new series of attacks aimed at deploying malicious software called IMAPLoader.
IMAPLoader is malware-based .NET, which can identify victims ' systems using standard Windows utilities. It acts as a loader for additional modules and uses email as a control channel. In addition, IMAPLoader can run malicious modules extracted from email attachments.
Since 2018, Tortoiseshell has been actively exploiting website vulnerabilities to spread its malware. In May of this year, the group was linked to the hacking of eight websites related to shipping, logistics and financial services in Israel.
Hackers of this group are also known as Crimson Sandstorm, Imperial Kitten, TA456, Yellow Liderc and are considered allies of the Islamic Revolutionary Guard Corps (IRGC).
The latest series of Tortoiseshell attacks between 2022 and 2023 involves injecting malicious JavaScript code into hacked legitimate websites to collect additional information about visitors, including their location, device information, and time of visits. And the main focus of cybercriminals was on the shipping and logistics sectors in the Mediterranean.
IMAPLoader is said to be a replacement for the Python-based IMAP implant that the Tortoiseshell group used earlier. IMAPLoader acts as a next-stage malware downloader, requesting hard-coded IMAP email accounts to extract executable files from email attachments.
One of the attack schemes uses a Microsoft Excel document as the starting vector for launching a multi-step delivery process and executing IMAPLoader. This indicates that hackers use a variety of tactics and techniques to achieve their strategic goals.
PwC experts also found phishing sites created by Tortoiseshell, some of which target the travel and hospitality sectors in Europe. PwC specifically emphasized the fact that this hacker group continues to pose a real threat to many industries and countries, including the Mediterranean, the United States and Europe.
An Iranian hacker group under the pseudonym Tortoiseshell (literally "turtle shell") was spotted by PwC specialists in a new series of attacks aimed at deploying malicious software called IMAPLoader.
IMAPLoader is malware-based .NET, which can identify victims ' systems using standard Windows utilities. It acts as a loader for additional modules and uses email as a control channel. In addition, IMAPLoader can run malicious modules extracted from email attachments.
Since 2018, Tortoiseshell has been actively exploiting website vulnerabilities to spread its malware. In May of this year, the group was linked to the hacking of eight websites related to shipping, logistics and financial services in Israel.
Hackers of this group are also known as Crimson Sandstorm, Imperial Kitten, TA456, Yellow Liderc and are considered allies of the Islamic Revolutionary Guard Corps (IRGC).
The latest series of Tortoiseshell attacks between 2022 and 2023 involves injecting malicious JavaScript code into hacked legitimate websites to collect additional information about visitors, including their location, device information, and time of visits. And the main focus of cybercriminals was on the shipping and logistics sectors in the Mediterranean.
IMAPLoader is said to be a replacement for the Python-based IMAP implant that the Tortoiseshell group used earlier. IMAPLoader acts as a next-stage malware downloader, requesting hard-coded IMAP email accounts to extract executable files from email attachments.
One of the attack schemes uses a Microsoft Excel document as the starting vector for launching a multi-step delivery process and executing IMAPLoader. This indicates that hackers use a variety of tactics and techniques to achieve their strategic goals.
PwC experts also found phishing sites created by Tortoiseshell, some of which target the travel and hospitality sectors in Europe. PwC specifically emphasized the fact that this hacker group continues to pose a real threat to many industries and countries, including the Mediterranean, the United States and Europe.
