The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Picus Labs has updated the Picus Threat Library with new attack methods for Lempo malware samples used by the TA456 (also known as Tortoiseshell and Imperial Kitten) Advanced Persistent Threat (APT) Group, operating since 2018. OilRig is believed to be an Iranian government-aligned threat group that has targeted victims in Middle East countries and USA. The majority of the group's targets are in the government, defense, and IT sectors. TA456 (Tortoiseshell) mainly uses backdoors (e.g. Syskit), remote access trojans - RATs (e.g. IvizTech), and reconnaissance tools (e.g. Liderc) in their attack campaigns.
The TA456 APT Group's Latest Malware: Lempo
The Iranian-state linked threat actor TA456 has been discovered by Proofpoint researchers as being behind a years-long social engineering and targeted malware campaign. TA456 spent years pretending to be "Marcella Flores" in order to infect the computer of an aerospace defense contractor employee with LEMPO malware, which is designed by the threat actor to build persistence, conduct reconnaissance, and exfiltrate sensitive data. According to Proofpoint researchers, smaller subsidiaries and contractors are actively targeted by TA456 in support of efforts to compromise major defense firms through a supply chain breach.
Picus Labs has updated the Picus Threat Library with the Lempo malware utilized by TA456 threat actor:
Picus ID |
Threat Name |
629261 | LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-1 |
494305 | LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-2 |
737305 | LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-3 |
819693 | LEMPO Trojan used by TA456 Threat Group .VBS File Download Variant-4 |
889632 | LEMPO Downloader used by TA456 Threat Group .XLS File Download Variant-1 |
358399 | LEMPO Downloader used by TA456 Threat Group .XLS File Download Variant-2 |
Other TA456 (Tortoiseshell, Imperial Kitten) Threats in Picus Threat Library
Following threats are added in 2019 during the previous campaign of TA456, named as Tortoiseshell by Symantec.
Picus ID |
Threat Name |
737305 | Trojan Malware used by Tortoiseshell Threat Group .EXE File Download Variant-1 |
475500 | Trojan Malware used by Tortoiseshell Threat Group .EXE File Download Variant-2 |
Threat Groups in Picus Threat Library
Picus Threat Library is the most comprehensive Threat Library in the "Continuous Security Validation" / "Breach and Attack Simulation (BAS)" industry. As of August 6, 2021, Picus Threat Library includes 2000+ threats for 200+ threat groups.