SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms

By Cybereason Team

October 11, 2021

In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. 

The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. 

The Nocturnus Team found evidence that the ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.

Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups. 

Key Findings

      • New Iranian Threat Actor MalKamak: A newly discovered Iranian threat actor dubbed MalKamak that has been operating since at least 2018 and remained unknown thus far. In addition, the investigation draws possible connections to other Iranian state-sponsored threat actors including Chafer APT (APT39) and Agrius APT.
      • Discovery of New ShellClient RAT: The Cybereason Nocturnus team discovered a sophisticated and previously undocumented RAT (Remote Access Trojan) dubbed ShellClient used for highly targeted cyber espionage operations.
      • Targeting Aerospace and Telecom Companies: Based on the telemetry, this threat has been predominantly observed in the Middle East region, but has also been observed targeting organizations in the U.S., Russia and Europe, with a focus on the Aerospace and Telecommunications industries. 
      • Ongoing Development Since 2018: Our investigation revealed this threat was first operationalized in 2018, and since then has been under active development with each new version adding more features and stealth. This threat is still active as of September 2021. 
      • Abusing Cloud Services for C2: The most recent ShellClient versions were observed to be abusing cloud-based storage services for Command and Control (C2), in this case the popular Dropbox service, in order to remain undetected by blending in with legitimate network traffic.
      • Designed for Stealth: The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect. 

Recent Campaign

In July 2021, Cybereason encountered an unidentified threat actor carrying out a cyber espionage operation using a previously undocumented and stealthy RAT dubbed ShellClient

Using this RAT, the threat actors were first observed conducting reconnaissance and the exfiltration of sensitive data from leading Aerospace and Telecommunications companies in the Middle East region, and was later observed targeting the same industries in other regions including the U.S, Russia and Europe.

When first inspecting the ShellClient RAT, the malicious binary was found to be running on victim machines as “svchost.exe” while its internal name was disguised as “RuntimeBroker.exe”:

Similarities to Previous Chafer APT-Related Campaigns

During the analysis, it was observed that there were some potentially interesting links and similarities to an Iranian threat actor called Chafer APT (also known as APT39, ITG07 or Remix Kitten). 

The group has been active since at least 2014, and is believed to be linked to the Rana Intelligence Computing Company, a Teheran-based company, previously known to serve as a front company for the Iranian Ministry of Intelligence and Security (MOIS). The Chafer APT is known to attack targets in the Middle East as well as the U.S. and Europe. 

Examining past campaigns, such as the one analyzed in Bitdefender’s Chafer APT report, the team noticed interesting overlaps with observations in this investigation, as detailed in the following sections.

Our current assessment is that while these overlaps are interesting, they are not enough to establish attribution with an adequate certainty.

Conclusion

In the Operation GhostShell report, the Cybereason Nocturnus and Incident Response Teams discovered a sophisticated new Remote Access Trojan (RAT) dubbed ShellClient that was used in highly targeted attacks against a select few Aerospace and Telecommunications companies mainly in the Middle East, with other victims located in the U.S., Russia and Europe. Our current assessment is that the attacks were perpetrated by a newly discovered Iranian activity group dubbed MalKamak that has been operating since at least 2018 and remained in the dark until now.

The investigation into Operation GhostShell also revealed that ShellClient dates back to at least 2018, and has been continuously evolving ever since while successfully evading most security tools and remaining completely unknown. By studying the ShellClient development cycles, the researchers were able to observe how ShellClient has morphed over time from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations while remaining undetected. 

The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic. 

It is the intention of the researchers that the information provided in the Operation GhostShell report will inspire further research regarding ShellClient and the newly identified MalKamak activity group, and that it will ultimately assist in shedding more light on this mysterious malware that was kept well-hidden for many years. 

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement