The Transform Technology Summits get started October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!
The Cybereason Nocturnus and Incident Response teams identified a sophisticated and previously undocumented remote access Trojan (RAT), dubbed ShellClient, employed for extremely targeted cyber espionage operations against major international aerospace and telecommunications organizations across the U.S., Middle East, Europe, and Russia.
These attacks have been perpetrated by a newly found Iranian state sponsored threat group — dubbed MalKamak — that has been operating beneath the radar due to the fact at least 2018.
This operation has been ongoing for years, constantly evolving its malware year right after year, although effectively evading most safety tools. The authors of ShellClient invested a lot of work into creating it stealthy to evade detection by antivirus and other safety tools by leveraging several obfuscation methods and not too long ago implementing a Dropbox client for command and handle (C2), creating it extremely difficult to detect. By studying the ShellClient development cycles, Cybereason researchers have been capable to observe how ShellClient has morphed more than time from a rather uncomplicated reverse shell to a sophisticated RAT used to facilitate cyber espionage operations.
The most current ShellClient versions observed in Operation GhostShell stick to the trend of abusing cloud-based storage services — in this case, the common Dropbox service. The ShellClient authors employed Dropbox to exfiltrate the stolen information and send commands to the malware. Threat actors have increasingly adopted this tactic due to its simplicity and the capability to proficiently blend in with reputable network visitors. Ultimately, this discovery tells researchers a lot about the techniques that sophisticated attackers are applying to defeat safety options.
Read the complete report by Cybereason.