Picus Labs Blue Team | 1 MIN READ

LAST UPDATED ON OCTOBER 31, 2023

Picus Threat Library Updated for Lempo Malware of the TA456 (Tortoiseshell, Imperial Kitten) Threat Group

Picus Labs has updated the Picus Threat Library with new attack methods for Lempo malware samples used by the TA456 (also known as Tortoiseshell and Imperial Kitten)  Advanced Persistent Threat (APT) Group, operating since 2018. OilRig is believed to be an Iranian government-aligned threat group that has targeted victims in Middle East countries and USA. The majority of the group's targets are in the government, defense, and IT sectors. TA456 (Tortoiseshell) mainly uses backdoors (e.g. Syskit), remote access trojans - RATs (e.g. IvizTech), and reconnaissance tools (e.g. Liderc) in their attack campaigns.

The TA456 APT Group's Latest Malware: Lempo

The Iranian-state linked threat actor TA456 has been discovered by Proofpoint researchers as being behind a years-long social engineering and targeted malware campaign. TA456 spent years pretending to be "Marcella Flores" in order to infect the computer of an aerospace defense contractor employee with LEMPO malware,  which is designed by the threat actor to build persistence, conduct reconnaissance, and exfiltrate sensitive data. According to Proofpoint researchers, smaller subsidiaries and contractors are actively targeted by TA456 in support of efforts to compromise major defense firms through a supply chain breach.

Picus Labs has updated the Picus Threat Library with the Lempo malware utilized by TA456 threat actor:

Picus ID

Threat Name

629261 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-1
494305 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-2
737305 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-3
819693 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-4
889632 LEMPO Downloader used by TA456 Threat Group .XLS File Download Variant-1
358399 LEMPO Downloader used by TA456 Threat Group .XLS File Download Variant-2

Other TA456 (Tortoiseshell, Imperial Kitten) Threats in Picus Threat Library

Following threats are added in 2019 during the previous campaign of TA456, named as Tortoiseshell by Symantec.

Picus ID

Threat Name

737305 Trojan Malware used by Tortoiseshell Threat Group .EXE File Download Variant-1
475500 Trojan Malware used by Tortoiseshell Threat Group .EXE File Download Variant-2

Threat Groups in Picus Threat Library

Picus Threat Library is the most comprehensive Threat Library in the "Continuous Security Validation" / "Breach and Attack Simulation (BAS)" industry. As of August 6, 2021, Picus Threat Library includes 2000+ threats for 200+ threat groups.

 
The Picus Threat Library update focuses on new attack methods for Lempo malware samples used by the TA456 (Tortoiseshell, Imperial Kitten) Advanced Persistent Threat (APT) Group. **
The TA456 threat group, believed to be aligned with the Iranian government, primarily targets government, defense, and IT sectors. They are known for using social engineering and targeted malware campaigns, including pretending to be individuals to infiltrate organizations. **
The TA456 group uses backdoors, remote access trojans (RATs), and reconnaissance tools in their attack campaigns. **
The Lempo malware is designed to build persistence, conduct reconnaissance, and exfiltrate sensitive data, often targeting subsidiaries and contractors to compromise larger defense firms through supply chain breaches. **
As of August 6, 2021, the Picus Threat Library includes over 2000 threats for more than 200 threat groups, making it highly comprehensive in the "Continuous Security Validation" and "Breach and Attack Simulation (BAS)" industry. These questions and answers can be used to enhance the FAQ section of your page, optimizing it for answer engines.

Table of Contents