The security researchers uncovered, TA456 which is also known as “Tortoiseshell” and “Imperial Kitten” has recently executed several targeted attacks on defense contractors with malware.

The hackers of this group mimicked themselves as aerobics instructors simply to fool the defense contractors of US aerospace defense and then compromise their systems to exfiltrate sensitive data. Facebook page has been created with name Marcella Flores for mimicking.

The researchers have reported & dubbed the malware as, “Lempo,” it’s the updated version of the “Liderc.” Lempo is basically a VBS (Visual Basic Script) that is dropped by an Excel macro. Using Microsoft’s CDO (Collaboration Data Objects) it exfiltrates the data

The threat actors who created and abused the fake profile has also used the following things to trick their victims and make them believe they are real:-

  • Email
  • Private messages
  • Social Media Profiles
  • Photographs
  • Flirty personal messages

While as part of their espionage operation the hackers have also used those emails to send their victims links to OneDrive which led them to with a document with a survey related to diet, or a video file, as part of their long-standing correspondence.

Information collected by Lempo

  • Date and time
  • Computer and usernames
  • System information via WMIC os, sysaccount,  environment, and computer system commands
  • Antivirus products located in the “SecurityCenter2” path
  • Drives
  • Tasklist
  • Software and version
  • Net users and user details

The malware provides endurance to attackers on target system which enables them to search and steal all the confidential data present on the compromised system. Through which easily an attacker can execute sophisticated spy campaigns.

At this moment the fake profile with the name, “Marcella Flores” was deactivated by the threat actors. According to the reports, in this spy campaign, the hackers of this group targeted more than 200 military defense, and aerospace companies in the US, UK, and Europe.