According to a recently published blog by Cybereason Nocturnus, researchers for the security firm have discovered a cyber espionage campaign making use of previously undiscovered malware. Researchers have, further, attributed the new espionage campaign to an also previously undisclosed threat group they have codenamed MalKamak. The group is currently targeting organizations in the aerospace and telecoms sectors.
Researchers have called the current campaign Operation GhostShell. The primary aim of the cyber espionage campaign is compromising the networks of companies in the aerospace and telecoms industries to steal sensitive information about assets, infrastructure, and technology.
The targets, which haven't been disclosed, are predominantly in the Middle East, but with additional victims in the United States, Europe, and Russia. Researchers believe the threat group has handpicked victims to better adhere to their operational parameters and to remain undetected.
The previously undiscovered malware, named ShellClient by researchers, takes the form of a Remote Access Trojan (RAT). This type of malware is designed to create a backdoor onto a machine that allows the attacker to act on the system with administrator privileges.
Once administrator control is granted the attacker has almost unfettered control over the system or network. For cyber espionage campaigns, malware such as ShellClient is highly prized but it must be able to operate undetected for extended periods. This is something ShellClient excels at.
In one instance ShellClient wasn’t discovered for three years. For the malware to avoid detection by antivirus software and other security tools is that it receives regular updates. Another tactic is used to avoid detection is by implementing a Dropbox client.
The use of the client is done to act as the command-and-control infrastructure for the campaign and as many organizations make use of services like Dropbox any traffic between the organization and the service would not seem out of place. Commenting further on this novel technique researchers said,
“The C2 communications this malware implements are quite unique, as they rely on “cold files” being saved to a remote Dropbox, instead of a common interactive session. This method of communication is an interesting Operational Security (OPSEC) solution, making it difficult to trace the threat actor’s infrastructure by utilizing a public service such as Dropbox. To communicate with Dropbox, ShellClient uses Dropbox’s API with a unique embedded API key. Before communicating, it encrypts the data using a hardcoded AES encryption key.”
Based on the researchers’ analysis the Dropbox storage container used by the attackers has three folders in it. The first, labeled Agents Folder, stores information relating to the infected machines. The second, Command Folder, contains the commands to be fetched, executed and then deleted by ShellClient.
Lastly, the Results Folder, stores the output of commands executed by ShellClient. ShellClient communicates with the Dropbox API every two seconds and allows the victim’s machine to check the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution.
The earliest version of ShellClient appears to have gone live towards the end of November 2018. Since then, researchers have discovered four versions of the RAT. This implies that the threat group has spent three years honing the malware's features that have effectively evolved the malware from a simple standalone shell to the stealthy RAT encountered today.
In each new iteration of the malware, the authors added new features and capabilities, attempting to use various exfiltration protocols and methods, such as using an FTP client and a Dropbox account to hide in plain sight. In addition, from version 4.0.0 and up, the authors made significant design and architecture changes like introducing modular design.
The earliest variant discovered by researchers was compiled on November 06, 2018, and was purposefully named svchost.exe to allow it to masquerade as a legitimate Windows binary and is merely a simple reverse shell as alluded to above. Version 1 emerged some three weeks after the first and included both a client and server and maintained persistence by disguising itself as a Windows Defender Update service.
December, that year, saw the release of Version 2 which added several new features including FTP and Telnet clients, AES encryption, and self-update capabilities. Version 3 had minor changes in comparison to what had been developed to this point. The biggest changes were reserved for version 4. Researchers noted,
“Perhaps one of the biggest advancements in the ShellClient evolution came with version V4.0.0 and continued with its successor V4.0.1, in which the malware authors implemented many changes and improvements, adding new capabilities, enhancing code obfuscation and code protection using Costura packer, as well as abandoning the C2 domain that was active since 2018...The traditional C2 communications were replaced with a Dropbox built-in client, abusing the popular online platform to send commands to ShellClient as well as storing the stolen data exfiltrated to a designated Dropbox account. This ultimately makes it harder to detect since the network traffic would appear legitimate to security analysts as well as most security solutions.”
Given that many of the campaign’s victims were based in the Middle East and victim profiling and tactics were similar to those by other Iranian APT groups, it led researchers to explore the possibility that this campaign was linked to Iranian state-sponsored activity. However, several traits suggested the threat actors behind Operation GhostShell were a previously undiscovered APT group. Researchers named this new APT group MalKamak.
While the group is unique in many of its tactics and techniques it does share some similarities with other Iranian APT groups. With APT39, sometimes referred to as Chafer, MalKamak shares similar credential dumping and persistence mechanisms. With the relatively new Agrius APT who have developed a reputation for targeting Israeli organizations, MalKamak shares similarities in both coding style and conventions. Other similarities between the two include similar kill mechanisms and data encryption.
Researchers also found the possibility of an infrastructure connection between MalKamak and Agrius. IP address resolutions of the domain used by ShellClient azure. ms-tech[.]us and a domain used by IPsec Helper (the malware strain favored by Agrius) whynooneistherefornoneofthem[.]com. Both of these domains have been resolved to both of the IP addresses 126.96.36.199 and 188.8.131.52.
Researchers determined that it functions as a sinkhole. DNS sinkholes are used by threat actors to redirect traffic to malicious destinations. Further examination by researchers of other domains that were resolved to these IP addresses in the past revealed a significant number of malicious domains that were used by Iranian APTs in the past.
Researchers concluded that,
“The investigation into Operation GhostShell also revealed that ShellClient dates back to at least 2018, and has been continuously evolving ever since while successfully evading most security tools and remaining completely unknown. By studying the ShellClient development cycles, the researchers were able to observe how ShellClient has morphed over time from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations while remaining undetected…The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic.”