[BreachExchange] Iran-linked MalKamak Hackers Targeting Aerospace, Telcos With ShellClient RAT

Thu Oct 7 14:10:01 EDT 2021

https://www.securityweek.com/iran-linked-malkamak-hackers-targeting-aerospace-telcos-shellclient-rat

Operation GhostShell Believed to be Linked to Iranian Threat Actor

Researchers have discovered a previously unknown advanced threat actor,
probably of Iranian origin, using a previously undocumented RAT targeting
largely aerospace and telecommunications organizations. They have named the
group MalKamak, and the campaign Operation GhostShell.

Cybereason first detected the threat actor engaged in cyber espionage with
the unknown remote access trojan – which it called ShellClient – in July
2021. Initial investigation found the same group targeting aerospace and
telecommunications companies in the Middle East. Further investigation
found the group also targeting the same sectors in the U.S., Russia, and
Europe.

In an analysis report of its investigation, Cybereason has determined that
MalKamak has been operating undiscovered since at least 2018. During that
period, the ShellClient RAT has evolved from a simple standalone reverse
shell to a stealthy modular espionage tool.

The MalKamak group is believed to be of Iranian origin. Although the
researchers could find nothing to associate the group with any known APT,
they did discover some links to the Iranian Chafer threat actor (also known
as APT39, ITG07 and Remix Kitten). They also noticed similarities in coding
style and naming conventions with another Iranian group, Agrius, that is
primarily known for attacking Israeli organizations and companies.

[ Also Read: What's in a Threat Group Name? An Inside Look at the
Intricacies of Nation-State Attribution ]

Assaf Dahan, head of threat research at Cybereason, suggested that a
previous member of Chafer or Agrius could now be involved with MalKamak, or
perhaps all three groups have employed the same ‘freelancer’ at some stage.
However, he told SecurityWeek that no inferences could be drawn from the
absence of China from the list of targets.

“We detected nothing to suggest any Chinese involvement,” he said. Other
researchers using different telemetry might subsequently find that Chinese
organizations have also been targeted. For now, Cybereason is confident,
based primarily on code analysis, that MalKamak is an Iranian group.

The ShellClient RAT is designed for stealth, including the more recent use
of Dropbox to host its C2 operations. The use of public cloud services is a
growing trend with cybercriminals, allowing C2 communication to blend in
with legitimate traffic from such sites. ShellClient uses cold files stored
on Dropbox, and replaced as required by the attacker, rather than the more
usual interactive C2 sessions.

“To communicate with Dropbox,” say the researchers, “ShellClient uses
Dropbox’s API with a unique embedded API key. Before communicating, it
encrypts the data using a hardcoded AES encryption key.” This approach is
effective and resilient. C2 communication is less likely to be detected by
victim systems, while discovery simply requires the Dropbox folders to be
rebuilt elsewhere on the service.

The Dropbox storage contains three folders: an agents folder to store
uploaded information from victim machines; a commands folder that stores
the commands to be fetched, executed, and then deleted by ShellClient; and
a results folder that stores the output of the commands executed by
ShellClient. The commands folder is checked by ShellClient every two
seconds. Commands are downloaded, parsed, and readied for execution – and
then deleted from Dropbox.

The ShellClient RAT, now at version 4, is a modular PE using Costura to
compress each of the modules using zlib, and containing numerous evasion
techniques. For example, the executable stores most of its strings,
including configuration strings, as bytes, and then converts them in
real-time to Unicode/ASCII to evade antivirus strings detection.

It achieves persistence and privilege escalation to run with SYSTEM
privileges on victim machines by creating the nhdService disguised as
Network Hosts Detection Service. MalKamak was also observed using an
unknown executable named lsa.exe for credential dumping. Although
Cybereason was unable to obtain a copy of this executable, it speculates
that it may be a variation of SafetyKatz. This is largely based on the name
of the dump file created by the tool (debug.bin), which is the same as that
created by SafetyKatz, which has previously been tied to Iranian threat
actors.

[ Also Read: NSA's Rob Joyce Explains 'Sand and Friction' Security Strategy
]

Important files for exfiltration are first compressed with WinRar before
being exported to the Dropbox C2 folders.

The current version of ShellClient has evolved from the first detected
version that was compiled on November 06, 2018. This version lacks the
features and sophistication found in later versions, and is effectively a
rather simple reverse shell. The second version emerged after just three
weeks, now including a new service persistence method disguised as a
Windows Defender Update service.

By December 2018, version 2.1 adds a variety of new capabilities including
FTP and Telnet clients, AES encryption, self-update capabilities and more.

Version 3.1 appeared in January 2019 with mostly minor changes. “The main
difference,” say the researchers, “is the removal of the ‘Server’ component
from the executable, as well as new code obfuscation and an upgraded
commands menu.”

Version 4.0 appeared in August 2021, with multiple improvements and new
capabilities including code obfuscation and code protection using Costura;
and abandoning the C2 domain and switching to Dropbox for C2. The latest
version contains several command functions that seem to do nothing and have
no reference in the code. Despite its rapid evolution over the last few
years, it seems as if the developers still have future plans for the
malware.

Our current assessment, say the Cybereason researchers, is that Operation
GhostShell is perpetrated by a newly discovered Iranian activity group
called MalKamak using “a sophisticated new Remote Access Trojan (RAT)
dubbed ShellClient that was used in highly targeted attacks against a
select few Aerospace and Telecommunications companies mainly in the Middle
East, with other victims located in the U.S., Russia and Europe.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211007/42e70767/attachment.html>