Cybereason, a vendor in operation-centric attack protection, published a new threat intelligence report that unmasks a highly-targeted cyber espionage operation targeting global aerospace and telecommunications companies. The report identifies a newly discovered Iranian threat actor behind the attacks dubbed MalKamak that has been operating since at least 2018 and remained unknown until today. In addition, the still-active campaign leverages a very sophisticated and previously undiscovered Remote Access Trojan dubbed ShellClient that evades antivirus tools and other security apparatus and abuses the public cloud service Dropbox for command and control.
The report, titled Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms, details the stealthy attacks against companies in the Middle East, United States, Europe and Russia. The investigation reveals possible connections to several Iranian state-sponsored threat actors including Chafer APT (APT39) and Agrius APT. This report follows the August publication of the DeadRinger Report by Cybereason that similarly uncovered multiple Chinese APT campaigns targeting telecommunications providers.
Key findings include:
- New Iranian Threat Actor MalKamak: A newly discovered Iranian threat actor that has been operating since at least 2018 and remained unknown thus far. The investigation draws possible connections to other Iranian state-sponsored threat actors including Chafer APT (APT39) and Agrius APT.
- Discovery of New ShellClient RAT: The Cybereason Nocturnus team discovered a sophisticated and previously undocumented RAT (Remote Access Trojan) dubbed ShellClient used for highly targeted cyber espionage operations.
- Targeting Aerospace and Telecom Companies: Based on the telemetry, this threat has been predominantly observed in the Middle East region but has also been observed targeting organizations in the U.S., Russia and Europe, with a focus on the Aerospace and Telecommunications industries.
- Ongoing Development Since 2018: The investigation revealed this threat was first operationalized in 2018 and since then has been under active development with each new version adding more features and stealth. This threat is still active as of September 2021.
- Abusing Cloud Services for C2:The most recent ShellClient versions were observed to be abusing cloud-based storage services for Command and Control (C2), in this case the popular Dropbox service, in order to remain undetected by blending in with legitimate network traffic.
- Designed for Stealth: The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect.
Using the ShellClient RAT, the threat actor also deployed additional attack tools to perform various espionage activities on the targeted networks including additional reconnaissance, lateral movement in the environment, and the collection and exfiltration of sensitive data. Operation GhostShell is assessed to be run by a state-sponsored threat actor, or Advanced Persistent Threat (APT).
“The Operation GhostShell report revealed a complex RAT capable of evading detection since as early as 2018, and the recent DeadRinger report also uncovered a similarly evasive threat from as early as 2017, which tells us a lot about how advanced attackers are continuously defeating security solutions,” said Cybereason CEO and co-founder Lior Div. “Layering on more tools to produce even more alerts that overwhelm defenders is not helping us stop sophisticated attacks, which is why Cybereason takes an operation-centric approach that detects based on very subtle chains of behavior where the adversary’s own actions work against them to reveal the attack at the earliest stages.”