A piece of new information reveals a cyber-spying campaign by Iranian hackers targeting the Middle East-based aerospace and telecom industries. The goal is to steal confidential information about assets, infrastructure, and technology while remaining unidentified and evading security systems using Dropbox reliant API.
A cybersecurity company based in Boston, Massachusetts, named the attack ‘Operation Ghostshell’. They pointed out the use of a previously undocumented and evasive remote access Trojan dubbed as ‘ShellClient’ utilized as the attacker’s primary spy tool. The attacks were first identified back in July 2021, targeting a set of handpicked victims.
Meanwhile, a team of researchers described the ShellClient RAT as an ongoing virus development since 2018. They also added that it had developed different iterations that introduced new functions while evading antivirus tools in that duration of time.
A cybersecurity software traced the origins of these hackers and threats dating back to November of 2018. The malware is known for its standalone reverse shell that evolves as a sophisticated backdoor, indicating that it has grown and developed throughout the years. The attack adversary has installed an unknown executable called “Isa.exe” to operate credential dumping.
A thorough investigation into the attachment of the cyberattacks made way for the surrender of a new Iranian threat actor dubbed as MalKamak. Researchers believed this threat actor has deep connections to other Iranian state-sponsored APT threat actors such as Chafer APT and Agries APT. The Agries APT was found posing as ransomware operators to hide the origin of a series of data-wiping intrusions against entities from Israel.
Aside from surveillance and removing sensitive data, ShellClient is also believed to be designed as a modular portable executable capable of performing fingerprinting operations.
Also, it abuses cloud storage services like Dropbox to hide from any radar by disguising in with legit network traffic that originates from a compromised system.
The researchers also revealed that the Dropbox storage contains three folders. Each folder includes information on the compromised machines, commands to be performed by the ShellClient RAT, and the final results of the commands. In addition, every two seconds, the target’s device checks the commands folder, collects files that represent commands, contextualizes their contents, then removes them from a remote folder and enables them for execution.
This modus by the Iranian hackers is similar to a strategy adopted by another malicious threat actor named IndigoZebra, which was uncovered as a Dropbox API reliant on gathering a specific sub-folder retrieved by the virus before execution.
The findings also came after a new persistent threat called “ChamelGang” that was pointed as the actors behind a series of attacks targeting energy, aviation production industries, and fuel located in the U.S., India, Nepal, Taiwan, Russia, and Japan to acquire data from compromised networks.