The Cybereason Nocturnus and Incident Response Teams recently responded to Operation GhostShell, a highly targeted cyber espionage campaign that attacks aerospace and telecommunications industries in the Middle East, with additional victims in the U.S., Russia and Europe. 

The campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology, researchers say. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient, employed as the primary espionage tool. 

The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities. The RAT has managed to evade antivirus tools, remaining undetected and publicly unknown.

During assessments of the operators and authors of ShellClient, researchers identified a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, researchers found possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. Researchers also assess that MalKamak has distinct features that separate it from the other Iranian groups. 

Archie Agarwal, Founder and CEO at ThreatModeler, a Jersey City, N.J.-based automated threat modeling provider, says, “The sophistication of this previously unknown remote access trojan, coupled with the obfuscation techniques and command & control channel via well known online services to blend in with normal network traffic, demonstrates a level of expertise usually reserved for state-supported operators.”

Agarwal says, “The fact that critical industrial niches were targeted in specific geographic regions such as aerospace and telecoms reinforces this assumption. As the report suggests, similarities with previously known Iranian operational activities have lent credence to the suspicion this is of Iranian origin, however, attribution is difficult in a world full of false flag operations.”

The most recent ShellClient versions were observed to be abusing cloud-based storage services for Command and Control (C2), in this case, the popular Dropbox service, to remain undetected by blending in with legitimate network traffic. Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company, explains, “Sidestepping whether or not DropBox was an authorized cloud storage service in the target organizations, this may serve as another example of risks presented by shadow IT generally as cloud services continue to provide covert communication or exfiltration channels for adversaries. Absent advanced detection capabilities, it can be very difficult from the standpoint of a defender to determine if the communication is malicious or benign. For this reason, good IT hygiene and visibility are themselves an often underutilized form of risk reduction.”

The Aerospace and Telecommunications sectors are likely to be of high importance to the Iranian state, with APT39 previously attributed to several attacks against similar targets within the Middle East, explains Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. “Obtaining sensitive information related to these sectors from regional adversaries could provide Iran with a strategic advantage, which was likely the overall goal of the GhostShell campaign.”

Dropbox is often a target for threat actors primarily, Morgan says, due to the popularity of the system and the potential value of stored data. “Dropbox does offer some significant security features — including strong encryption and use of 2-factor authentication — but ultimately, those options are not mandated to users. As a result, poorly secured accounts can often find the service being targeted by malicious actors,” he adds. “In this particular campaign, Dropbox was abused to host a command and control (C2) client. This is not a ground-breaking technique, and DropBox — as well as other popular cloud service providers like Microsoft — have been used to host malicious services. The DropBoxC2 tool encrypts traffic, which makes the network traffic appear legitimate to security solutions, and also being unlikely to raise any red flags with analysts searching through network logs.”