The accusation is serious: an Iranian hacker group, behind which it seems the Tehran government could also be behind, is targeting global companies in the aerospace and telecommunications sector, also using a new very sophisticated and virtually unknown Trojan. To sound the alarm is Cybereason, an American company that deals with computer security, founded in Boston in 2012 and which has offices around the world. The report released by the company identifies the new Iranian hacker group, nicknamed MalKamak, and which would operate from 2018, but remain in the shadows.
Cybereason researchers observed that the threat, still active globally, exploits a very sophisticated and undiscovered remote access Trojan, dubbed ShellClient, which circumvents antivirus tools and other security apparatuses and abuses the Dropbox public cloud service to command and control.
Entitled “Operation GhostShell: Novel Rat Targets Global Aerospace and Telecoms Firms,” the report identified attacks on companies in the Middle East, the United States, Europe and Russia. The investigation reveals possible connections with several Iranian state-sponsored hacker groups, including Chafer and Agrius. The publication of this report follows that of the DeadRinger report, also compiled by Cybereason researchers, which featured the discovery of multiple Chinese APT campaigns targeting telecommunications companies.
The most important findings contained in the report on Operation GhostShell include: The discovery of a new group of hackers; in fact, a real “plan of action” called MalKamak, sponsored by the Iranian state and never documented until now, has been identified; The discovery of ShellClient Rat, a sophisticated Remote Access Trojan dubbed ShellClient, which had never been observed before and which would be used for highly targeted cyber espionage operations.
The threat is aimed at aerospace and telecommunications companies. The attacks have been observed predominantly in the Middle East region, but also extend to the United States, Russia and Europe. The development of this attack would be ongoing from 2018: The Rat GhostClient was made operational for the first time in 2018 and has been in continuous development ever since. Each new version added more features and stealth, and the attacks continued until at least September 2021. The Iranian group would exploit the abuse of cloud services: it was found that the most recent versions of ShellClient abuse cloud storage services for the command and control, in this case the popular Dropbox service, in order to go unnoticed and thus blend in with normal network traffic.
Malware is specially designed for stealth: ShellClient authors have put a lot of effort into evading detection by antivirus and other security tools. The attack uses multiple cloaking techniques and through a Dropbox client for command and control, it makes it very difficult to detect.
Cybereason researchers also found possible connections with Iranian Apt: The investigation draws interesting contacts with several Iranian state-sponsored threat actors, including Chafer Apt and Agrius Apt. Using the Rat ShellClient, the group behind this threat has also implemented additional attack tools to carry out various spying activities on networks in their sights, including additional reconnaissance, lateral movement and the collection and exfiltration of sensitive data. According to the researchers, Operation GhostShell is run by a state-sponsored hacker group, and therefore falls into the Advanced Persistent Threats category.