Operation GhostShell: MalKamak APT targets aerospace and telco firms

Operation GhostShell: Threat actors used ShellClient malware in cyberespionage campaigns aimed at companies in the aerospace and telecommunications sectors.

Hackers use stealthy ShellClient malware on aerospace, telco firms

Cybereason Nocturnus and Incident Response Teams discovered a new threat actor that is targeting organizations in the aerospace and telecommunications sectors with the ShellClient malware as part of Operation GhostShell. ShellClient is previously undocumented and stealthy RAT (Remote Access Trojan) used to steal sensitive info from the victims.

The threat actors have been targeting the above industries since at least 2018.

Operation GhostShell is a highly targeted cyber espionage campaign that mainly hit entities in the Middle East, along with other victims in the U.S., Russia, and Europe. 

Researchers attributed the campaigns to a new Iran-linked threat actor tracked as MalKamak, which have some connections with the APT39 group.

“Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far.” reads the analysis published by Cybereason. “In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups. “

The experts first discovered the ShellClient RAT during an investigation into an incident in July. The analysis of the malware employed in the recent Operation GhostShell (version 4.0.1) revealed it was compiled on May 22, 2021.Cybereason Nocturnus and Incident Response Teams analyzed the malware and observed that it ran on infected machines disguised as “RuntimeBroker.exe,” a legitimate process that helps with permission management for apps from Microsoft Store.

The first version of the RAT is dated back 2018, it was a simple standalone reverse shell, across the years the malware evolved and its authors implemented new functionalities, such as code obfuscation improvements, the use of Costura packer, and new persistence methods.

According to the experts, the PDB path embedded in some of the ShellClient samples suggests that the RAT is part of a restricted or classified project that could be related to military or intelligence agency operations.

“The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic.” concludes the report which also includes indicators of compromise for all versions and samples of ShellClient.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation GhostShell)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

North Korea-linked IT workers infiltrated hundreds of US firms

The U.S. Justice Department charged five individuals, including a U.S. woman, for aiding North Korea-linked…

2 hours ago

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Russia-linked Turla APT allegedly used two new backdoors, named Lunar malware and LunarMail, to target…

19 hours ago

City of Wichita disclosed a data breach after the recent ransomware attack

The City of Wichita disclosed a data breach after the ransomware attack that hit the…

1 day ago

CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog

CISA adds two D-Link DIR-600 and DIR-605 router vulnerabilities to its Known Exploited Vulnerabilities catalog. The…

1 day ago

CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog

CISA adds two Chrome zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity…

1 day ago

North Korea-linked Kimsuky APT attack targets victims via Messenger

North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware.…

1 day ago

This website uses cookies.