Picus Threat Library Updated for Lempo Malware of the TA456 (Tortoiseshell, Imperial Kitten) Threat Group

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new attack methods for Lempo malware samples used by the TA456 (also known as Tortoiseshell and Imperial Kitten)  Advanced Persistent Threat (APT) Group, operating since 2018. OilRig is believed to be an Iranian government-aligned threat group that has targeted victims in Middle East countries and USA. The majority of the group's targets are in the government, defense, and IT sectors. TA456 (Tortoiseshell) mainly uses backdoors (e.g. Syskit), remote access trojans - RATs (e.g. IvizTech), and reconnaissance tools (e.g. Liderc) in their attack campaigns.

The TA456 APT Group's Latest Malware: Lempo

The Iranian-state linked threat actor TA456 has been discovered by Proofpoint researchers as being behind a years-long social engineering and targeted malware campaign. TA456 spent years pretending to be "Marcella Flores" in order to infect the computer of an aerospace defense contractor employee with LEMPO malware,  which is designed by the threat actor to build persistence, conduct reconnaissance, and exfiltrate sensitive data. According to Proofpoint researchers, smaller subsidiaries and contractors are actively targeted by TA456 in support of efforts to compromise major defense firms through a supply chain breach.

Picus Labs has updated the Picus Threat Library with the Lempo malware utilized by TA456 threat actor:

Picus ID

Threat Name

629261 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-1
494305 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-2
737305 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-3
819693 LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-4
889632 LEMPO Downloader used by TA456 Threat Group .XLS File Download Variant-1
358399 LEMPO Downloader used by TA456 Threat Group .XLS File Download Variant-2

Other TA456 (Tortoiseshell, Imperial Kitten) Threats in Picus Threat Library

Following threats are added in 2019 during the previous campaign of TA456, named as Tortoiseshell by Symantec.

Picus ID

Threat Name

737305 Trojan Malware used by Tortoiseshell Threat Group .EXE File Download Variant-1
475500 Trojan Malware used by Tortoiseshell Threat Group .EXE File Download Variant-2

Threat Groups in Picus Threat Library

Picus Threat Library is the most comprehensive Threat Library in the "Continuous Security Validation" / "Breach and Attack Simulation (BAS)" industry. As of August 6, 2021, Picus Threat Library includes 2000+ threats for 200+ threat groups.

Subscribe

Keep up to date with latest blog posts