Recent investigations have revealed a sophisticated cyber espionage campaign specifically targeting the aerospace and telecommunications sectors in the Middle East. This operation aims to compromise sensitive information relating to critical assets, corporate infrastructures, and advanced technologies while eluding detection by existing security measures.
The Boston-based cybersecurity firm, Cybereason, has characterized these attacks as “Operation Ghostshell.” The primary tool employed is a stealthy and previously undocumented remote access trojan (RAT) known as ShellClient, which has emerged as the main method for the data theft. Incidents associated with this campaign first came to light in July 2021, indicating a meticulous targeting strategy.
According to researchers Tom Fakterman, Daniel Frank, Chen Erlich, and Assaf Dahan, the ShellClient RAT has been continuously refined since at least 2018. This evolving malware has introduced various features, managing to remain off the radar of antivirus solutions and public scrutiny. Details of their findings were shared in an in-depth analysis published on Cybereason’s platform.
Investigations show that the threat, developed as a standalone reverse shell in November 2018, has since evolved into a more complex backdoor. The malware authors have consistently added new capabilities. Notably, an unidentified executable file named “lsa.exe” is also being used by the attackers to extract credentials from compromised systems.
Attribution efforts have led to the identification of a new Iranian threat actor, dubbed MalKamak. Active since the same period, this group has managed to remain elusive while establishing probable links to established Iranian state-sponsored advanced persistent threat (APT) actors, such as Chafer APT (also known as APT39) and Agrius APT, which has previously employed deception tactics by masquerading as ransomware operators.
The ShellClient is not just a data exfiltration tool; it has also been designed for reconnaissance and can perform extensive system fingerprinting and registry manipulation. One significant anomaly is its use of cloud storage platforms, such as Dropbox, to facilitate command-and-control (C2) communications. This choice enables it to blend seamlessly with legitimate network traffic, effectively minimizing detection risks.
The Dropbox environment houses three distinct folders that contain data on infected machines, commands for the ShellClient RAT, and the execution results of those commands. Every two seconds, the compromised machine checks the commands folder, retrieves command files, parses the content, and executes the commands after deleting their source, thus maintaining operational security. This methodology mirrors tactics previously employed by other threat actors, such as the group identified as IndigoZebra, which also used Dropbox for similar objectives.
Significantly, these findings emerge shortly after the detection of another advanced persistent threat known as ChamelGang, responsible for a series of attacks on critical sectors, including fuel and energy, across multiple countries. This trend highlights the increasing sophistication and coordination among cyber adversaries in leveraging advanced tactics to achieve their objectives.
