Watering hole attack from Tortoiseshell group

Researchers have discovered a watering hole attack that targeted numerous Israeli websites. The attack is believed to be carried out by a nation-state actor from Iran linked with the Tortoiseshell group.

Initially spotted in July 2018, when it targeted IT providers in Saudi Arabia. In previous campaigns, it has set up fake hiring websites for U.S. military veterans to fool them into downloading remote access trojans.

The eight websites targeted belong to different industries, including logistics, shipping, and financial services in Israel.

Attackers use strategic website compromises by infecting a website commonly visited by a group of users or those within a specific industry to spread the malware.

The intrusions include malicious JavaScript being injected into the website’s functions for collecting information regarding the targeted system and sending it back to a remote server.

Modus of Operandi

The threat actors use the JavaScript code to find out the user’s language preference and most probably customize their attack on the basis of it.

The attacks were observed using a domain named jquery-stack[.]online for C2 communication. The aim is to stay hidden by impersonating the genuine jQuery JavaScript framework. The attackers use code partly taken from the Metasploit framework along with a few unique strings.

Israel is already a major target for the state-sponsored group from Iran for the regime’s objectives. Organizations should leverage provided IoCs to prevent such attack attempts. Additionally, raise awareness for watering hole attacks and always keep the systems updated.

Indicators of Compromise

• 02A3296238A3D127A2E517F4949D31914C15D96726FB4902322C065153B364B2
• F71732F997C53FA45EEF5C988697EB4AA62C8655D8F0BE3268636FC23ADDD193
• 07D123364D8D04E3FE0BFA4E0E23DDC7050EF039602ECD72BAED70E6553C3AE4
• http://64.235.39.45/smartscreen.exe
• http://64.235.39.45/ssa.exe