Operation GhostShell: MalKamak APT targets aerospace and telco firms

Operation GhostShell: Threat actors used ShellClient malware in cyberespionage campaigns aimed at companies in the aerospace and telecommunications sectors.

Hackers use stealthy ShellClient malware on aerospace, telco firms

Cybereason Nocturnus and Incident Response Teams discovered a new threat actor that is targeting organizations in the aerospace and telecommunications sectors with the ShellClient malware as part of Operation GhostShell. ShellClient is previously undocumented and stealthy RAT (Remote Access Trojan) used to steal sensitive info from the victims.

The threat actors have been targeting the above industries since at least 2018.

Operation GhostShell is a highly targeted cyber espionage campaign that mainly hit entities in the Middle East, along with other victims in the U.S., Russia, and Europe. 

Researchers attributed the campaigns to a new Iran-linked threat actor tracked as MalKamak, which have some connections with the APT39 group.

“Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far.” reads the analysis published by Cybereason. “In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups. “

The experts first discovered the ShellClient RAT during an investigation into an incident in July. The analysis of the malware employed in the recent Operation GhostShell (version 4.0.1) revealed it was compiled on May 22, 2021.Cybereason Nocturnus and Incident Response Teams analyzed the malware and observed that it ran on infected machines disguised as “RuntimeBroker.exe,” a legitimate process that helps with permission management for apps from Microsoft Store.

The first version of the RAT is dated back 2018, it was a simple standalone reverse shell, across the years the malware evolved and its authors implemented new functionalities, such as code obfuscation improvements, the use of Costura packer, and new persistence methods.

According to the experts, the PDB path embedded in some of the ShellClient samples suggests that the RAT is part of a restricted or classified project that could be related to military or intelligence agency operations.

“The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic.” concludes the report which also includes indicators of compromise for all versions and samples of ShellClient.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation GhostShell)

[adrotate banner=”5″]

[adrotate banner=”13″]