Cyberreason, a security firm that investigates malware used to target companies in the aerospace and telecommunications sectors, has discovered a new attacker that has been conducting cyber espionage attacks since at least 2018.
The malware, named ShellClient, is a previously undocumented remote access trojan (RAT) that is stealthy and built for “highly targeted cyber espionage.”
Researchers attribute ShellClient’s use in reconnaissance operations and theft of sensitive data from targets in the Middle East, the United States, Russia, and Europe to MalKamak, a previously undisclosed attacker.
The ShellClient RAT appeared in a researcher’s report in July during an incident response engagement that revealed cyber espionage activity now called Operation GhostShell.
The Cybereason Nocturnus and Incident Response teams have analyzed this malware and confirmed that it is running on an infected machine disguised as “RuntimeBroker.exe”. This is a legitimate process that helps manage permissions for Microsoft Store apps.
The ShellClient variant used for Operation GhostShell has a compilation date of May 22, 2021 and is called version 4.0.1.
The evolution of ShellClient in 2018 and beyond
Researchers have found that its evolution has started at least since November 2018.
Evolving from a simple standalone reverse shell to a stealthy modular spy tool
In each of the six iterations discovered, the malware increased its functionality, switching between multiple protocols and methods for data exfiltration (FTP clients, Dropbox accounts, etc.).
- Oldest variant compiled in November 2018 – not very sophisticated, works as a simple reverse shell
- Variant V1 compiled in November 2018 – has both client and server functionality, and Windows Added new service persistence method hidden as Defender update service
- Variant V2.1 compiled in December 2018 – Added FTP and Telnet clients, AES encryption, self-updating capabilities
- January 2019 Variant V3.1 compiled in January 2019 – minor fixes, removal of server component
- Variant V4.0.0 compiled in August 2021 – improved code obfuscation and protection by Costura packer, removal of C2 domain used since 2018 and the addition of a Dropbox client, among other important changes.
During its investigation, Cybereason examined details that linked ShellClient to known attackers and concluded that the malware is operated by a new nation-state group named MalKamak and is likely related to Iranian hackers based on code style overlap, naming conventions, and techniques. We concluded that the malware is likely related to Iranian hackers due to the overlapping code style, naming conventions, and techniques.
While we have identified some links to known Iranian attack groups, our conclusion is that MalKamak is a new and distinct group with unique characteristics that differentiate it from other known Iranian attack groups. Cybereason
Researchers say MalKamak is focused on highly targeted cyber espionage, a theory supported by the small number of samples and telemetry data found in the real world since 2018.
In addition, the debug file paths available in some ShellClients samples suggest that this malware is part of a classified military or intelligence project.
Cybereason has created a brief summary of how MalKamak runs, its capabilities, infrastructure, and the types of victims it is interested in.
Cybereason publishes indicators of compromise for all versions and samples of ShellClient, command and control servers, user agents, encryption keys, and related files that we discover.
Another technical document provides a complete analysis of all variants found in the incident response.
Survey summary
In July 2021, Cybereason Nocturnus and its incident response team responded to Operation GhostShell, a highly targeted cyber espionage attack that primarily targeted the aerospace and telecommunications industries in the Middle East, with victims in the United States, Russia, and Europe. GhostShell.
“Operation GhostShell” is designed to steal sensitive information about critical assets, organizational infrastructure, and technology. Upon investigation, the Nocturnus team discovered a previously undocumented stealthy RAT (Remote Access Trojan) called “ShellClient”, which was being used as a primary spying tool.
The Nocturnus team found evidence that the ShellClient RAT had been in continuous development since at least 2018, with some additional development to introduce new features while evading antivirus tools and remaining undetected and generally unknown to the public We found evidence of some additional development to introduce new features while remaining undetected and unnoticed by the public.
After investigating the identity of the operators and authors of ShellClient, we have identified a new Iranian attack group named MalKamak, which has been active since at least 2018 and is not publicly known so far.
In addition, our research points to possible links to other Iranian state-sponsored APT threat groups, such as Chafer APT (APT39) and Agrius APT. However, we assess MalKamak as having characteristics that differentiate it from other Iranian groups.
Key findings
New Iranian Threat Actor MalKamak
The newly discovered Iranian threat group, named MalKamak, has been active since at least 2018 and has remained unknown until now. The research also draws out possible links to other Iranian state-sponsored threat groups, including Chafer APT (APT39) and Agrius APT.
Discovery of a new ShellClient RAT
The Cybereason Nocturnus team has discovered a sophisticated, previously undocumented RAT (Remote Access Trojan) named ShellClient that is being used in highly targeted cyber espionage.
It targets aerospace and telecommunications companies. According to telemetry, this threat has been observed primarily in the Middle East region, but has also been observed targeting organizations in the United States, Russia, and Europe, with a focus on the aerospace and telecommunications industries.
Continued development since 2018 According to our research, this threat first became operational in 2018 and has been in active development since then, with features and stealthiness being added with each new version. This threat is still active as of September 2021.
Cloud service exploit for C2
The latest version of ShellClient has been found to exploit a cloud-based storage service (in this case, the popular Dropbox service) for command and control (C2) to avoid detection by blending in with legitimate network traffic. In this case, the popular Dropbox service.
Designed for Stealth The developers of ShellClient have gone to great lengths to increase stealth by utilizing multiple obfuscation techniques to evade detection by antivirus and other security tools, and have recently implemented a Command and Control (C2) Dropbox client for command and control (C2), making it very difficult to detect.
Comments