Operation GhostShell Believed to be Linked to Iranian Threat Actor
Researchers have discovered a previously unknown advanced threat actor, probably of Iranian origin, using a previously undocumented RAT targeting largely aerospace and telecommunications organizations. They have named the group MalKamak, and the campaign Operation GhostShell.
Cybereason first detected the threat actor engaged in cyber espionage with the unknown remote access trojan – which it called ShellClient – in July 2021. Initial investigation found the same group targeting aerospace and telecommunications companies in the Middle East. Further investigation found the group also targeting the same sectors in the U.S., Russia, and Europe.
In an analysis report of its investigation, Cybereason has determined that MalKamak has been operating undiscovered since at least 2018. During that period, the ShellClient RAT has evolved from a simple standalone reverse shell to a stealthy modular espionage tool.
The MalKamak group is believed to be of Iranian origin. Although the researchers could find nothing to associate the group with any known APT, they did discover some links to the Iranian Chafer threat actor (also known as APT39, ITG07 and Remix Kitten). They also noticed similarities in coding style and naming conventions with another Iranian group, Agrius, that is primarily known for attacking Israeli organizations and companies.
Assaf Dahan, head of threat research at Cybereason, suggested that a previous member of Chafer or Agrius could now be involved with MalKamak, or perhaps all three groups have employed the same ‘freelancer’ at some stage. However, he told SecurityWeek that no inferences could be drawn from the absence of China from the list of targets.
“We detected nothing to suggest any Chinese involvement,” he said. Other researchers using different telemetry might subsequently find that Chinese organizations have also been targeted. For now, Cybereason is confident, based primarily on code analysis, that MalKamak is an Iranian group.
The ShellClient RAT is designed for stealth, including the more recent use of Dropbox to host its C2 operations. The use of public cloud services is a growing trend with cybercriminals, allowing C2 communication to blend in with legitimate traffic from such sites. ShellClient uses cold files stored on Dropbox, and replaced as required by the attacker, rather than the more usual interactive C2 sessions.
“To communicate with Dropbox,” say the researchers, “ShellClient uses Dropbox’s API with a unique embedded API key. Before communicating, it encrypts the data using a hardcoded AES encryption key.” This approach is effective and resilient. C2 communication is less likely to be detected by victim systems, while discovery simply requires the Dropbox folders to be rebuilt elsewhere on the service.
The Dropbox storage contains three folders: an agents folder to store uploaded information from victim machines; a commands folder that stores the commands to be fetched, executed, and then deleted by ShellClient; and a results folder that stores the output of the commands executed by ShellClient. The commands folder is checked by ShellClient every two seconds. Commands are downloaded, parsed, and readied for execution – and then deleted from Dropbox.
The ShellClient RAT, now at version 4, is a modular PE using Costura to compress each of the modules using zlib, and containing numerous evasion techniques. For example, the executable stores most of its strings, including configuration strings, as bytes, and then converts them in real-time to Unicode/ASCII to evade antivirus strings detection.
It achieves persistence and privilege escalation to run with SYSTEM privileges on victim machines by creating the nhdService disguised as Network Hosts Detection Service. MalKamak was also observed using an unknown executable named lsa.exe for credential dumping. Although Cybereason was unable to obtain a copy of this executable, it speculates that it may be a variation of SafetyKatz. This is largely based on the name of the dump file created by the tool (debug.bin), which is the same as that created by SafetyKatz, which has previously been tied to Iranian threat actors.
Important files for exfiltration are first compressed with WinRar before being exported to the Dropbox C2 folders.
The current version of ShellClient has evolved from the first detected version that was compiled on November 06, 2018. This version lacks the features and sophistication found in later versions, and is effectively a rather simple reverse shell. The second version emerged after just three weeks, now including a new service persistence method disguised as a Windows Defender Update service.
By December 2018, version 2.1 adds a variety of new capabilities including FTP and Telnet clients, AES encryption, self-update capabilities and more.
Version 3.1 appeared in January 2019 with mostly minor changes. “The main difference,” say the researchers, “is the removal of the ‘Server’ component from the executable, as well as new code obfuscation and an upgraded commands menu.”
Version 4.0 appeared in August 2021, with multiple improvements and new capabilities including code obfuscation and code protection using Costura; and abandoning the C2 domain and switching to Dropbox for C2. The latest version contains several command functions that seem to do nothing and have no reference in the code. Despite its rapid evolution over the last few years, it seems as if the developers still have future plans for the malware.
Our current assessment, say the Cybereason researchers, is that Operation GhostShell is perpetrated by a newly discovered Iranian activity group called MalKamak using “a sophisticated new Remote Access Trojan (RAT) dubbed ShellClient that was used in highly targeted attacks against a select few Aerospace and Telecommunications companies mainly in the Middle East, with other victims located in the U.S., Russia and Europe.”