Researchers at cybersecurity firm Cybereason uncovered a new cyber-espionage operation aimed at stealing sensitive information from companies in the aerospace and telecommunications industries.
Dubbed ‘Operation GhostShell’, the new campaign targets mainly entities in the Middle East, however, the researchers said they have seen victims in the US, Europe, and Russia.
While investigating the attacks first observed in July 2021, Cybereason discovered a previously undocumented and stealthy RAT (Remote Access Trojan), which they named ‘ShellClient,’ used as a primary espionage tool. The research team believes that the tool has been in development since 2018 and was created by a previously unknown Iranian threat actor dubbed MalKamak.
Although MalKamak appears to be new and distinct from previously documented groups, the researchers found evidence pointing to possible connection to known Iranian state-backed groups such as Chafer APT (APT39) and Agrius APT.
“When first inspecting the ShellClient RAT, the malicious binary was found to be running on victim machines as “svchost.exe” while its internal name was disguised as “RuntimeBroker.exe,” the researchers said.
In addition to conducting reconnaissance and the exfiltration of sensitive data, ShellClient is capable of performing fingerprinting and registry operations. It also abuses cloud storage services such as Dropbox for command-and-control (C2) communications in an attempt to stay hidden.
“The C2 communications this malware implements are quite unique, as they rely on “cold files” being saved to a remote Dropbox, instead of a common interactive session. This method of communication is an interesting Operational Security (OPSEC) solution, making it difficult to trace the threat actor’s infrastructure by utilizing a public service such as Dropbox,” the report reads.
To communicate with Dropbox, the ShellClient RAT uses Dropbox’s API with a unique embedded API key. It also encrypts data before sending it to Dropbox.
“The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic,” the researchers said.