New Iranian threat actor MalKamak used newly discovered malware that abuses Dropbox services for command and control
BOSTON, October 6, 2021 / PRNewswire-PRWeb / – Cyber ââReason, the leader in operations-centric attack protection, today released a new threat intelligence report that unmasks a highly targeted cyber espionage operation targeting global aerospace and telecommunications companies. The report identifies a recently discovered Iranian threat actor behind the attacks dubbed MalKamak which has been operating since at least 2018 and has remained unknown until today. Additionally, the still-active campaign relies on a highly sophisticated and as yet unknown Remote Access Trojan (RAT) nicknamed ShellClient, which evades antivirus tools and other security devices and abuses the Dropbox public cloud service. for command and control (C2).
The report, entitled Operation GhostShell: New RAT Targets Global Aerospace and Telecommunications Companies, details the stealth attacks against companies in the Middle East, United States, Europe and Russia. The investigation reveals possible links with several threatening actors sponsored by the Iranian state, including Chafer APT (APT39) and Agrius APT. This report follows the August publication of DeadRinger Report by Cybereason who also discovered several Chinese APT campaigns targeting telecom providers.
Key findings of the Operation GhostShell report include:
New Iranian Threat Actor MalKamak: A newly discovered Iranian threat actor who has been operating since at least 2018 and has remained unknown until now. The investigation establishes possible links with other threat actors sponsored by the Iranian state, including Chafer APT (APT39) and Agrius APT.
New ShellClient RAT Discovered: The Cybereason Nocturnus team discovered a sophisticated and previously undocumented RAT (Remote Access Trojan) dubbed ShellClient, used for highly targeted cyber espionage operations.
Target aerospace and telecom companies: Based on telemetry, this threat was mainly observed in the Middle East region, but has also been observed targeting organizations in the United States, Russia and Europe, with an emphasis on the aerospace and telecommunications industries.
Ongoing development since 2018: Investigation revealed that this threat was first operationalized in 2018 and has been under active development since then, with each new release adding more features and stealth. This threat is still active in September 2021.
Abuse of cloud services for C2: Newer versions of ShellClient have been observed to abuse cloud-based storage services for Command and Control (C2), in this case the popular Dropbox service, so as not to be detected based on legitimate network traffic.
Designed for stealth: The authors of ShellClient have put a lot of effort into making it stealthy to escape detection by antivirus and other security tools by taking advantage of several obfuscation techniques and recently implementing a Dropbox client for command and control (C2), which makes it very difficult to detect.
Using ShellClient RAT, the threat actor also deployed additional attack tools to perform various espionage activities on targeted networks, including additional reconnaissance, lateral movement in the environment, and collection. and the exfiltration of sensitive data. Operation GhostShell is assessed as being executed by a state sponsored threat actor, or Advanced Persistent Threat (APT).
“The Operation GhostShell report revealed a complex RAT capable of evading detection as early as 2018, and the recent DeadRinger report also uncovered an equally elusive threat as early as 2017, which tells us a lot about how advanced attackers beat continuously security solutions. âsaid CEO and co-founder of Cybereason Lior Division. âLayering tools to produce even more alerts that overwhelm defenders doesn’t help us stop sophisticated attacks, which is why Cybereason takes an operations-centric approach that detects against very subtle chains of behavior where the opponent’s own actions work against him to reveal the attack in the early stages. “
The full report can be downloaded here: https://www.cybereason.com/ghostshell
Cybereason is the champion of today’s cyber defenders, delivering operations-centric attack protection that unifies endpoint security, to the enterprise, wherever the battle is fought. Cybereason Defense Platform combines AI-powered detection and response (EDR and XDR), Next Generation Antivirus (NGAV), ransomware protection, and proactive threat hunting to deliver rich analysis in context of each step of a MalOp. â¢ (malicious operation). Cybereason is a private international company headquartered in Boston with customers in over 50 countries.
Senior Director, Global Public Relations
Bill keeler, Cybereason, 929 259-3261, [email protected]
SOURCE Cyber ââReason