Researchers have uncovered a previously undocumented remote access trojan (RAT) utilized in a highly targeted espionage campaign. The RAT, dubbed ShellClient, was developed at least three years ago - but the continuous addition of new anti-detection capabilities has allowed it to fly under the radar until July.
ShellClient was first discovered in an espionage attack targeting aerospace and telecommunications companies in the Middle East, U.S., Russia and Europe. The cyberattack, which researchers with Cybereason dubbed Operation GhostShell, utilized the RAT to swipe up sensitive data about critical assets as well as glean information about victims’ infrastructure and technology, according to Assaf Dahan, senior director and threat research lead at Cybereason.
“We are aware of 10 victims… It’s not a widespread campaign,” said Dahan. “It’s an operation with carefully handpicked targets. They really tried to minimize the exposure of this malware.”
Researchers first uncovered the campaign in July after being called to investigate an intrusion. After launching various containment procedures, researchers noticed that the main attack tool was previously unidentified. There’s currently no conclusive evidence pointing to how victims were initially targeted in the attacks, said Dahan.
Researchers believe that the RAT is at least three years old due to its earliest known variant being compiled in November 2018. Since then, over the course of at least five ensuing versions of the malware, ShellClient has morphed from a simple reverse shell to a sophisticated RAT, armed with capabilities to circumvent discovery by security tools.
“Back in 2018, it was a very primitive reverse shell, then two weeks later there was a new version coming out, and then another one,” said Dahan. “Once we started going after those malware versions, we saw how the threat actor has become more stealthy and sophisticated.”
A recent version of the malware from August revealed some of the biggest jumps in sophistication for ShellClient. In this version, the authors chose to abandon a previously used command-and-control (C2) domain in an older iteration, and instead use Dropbox as the primary mechanism to exfiltrate stolen data and send commands to the malware. The abuse of cloud services such as Dropbox, as well as Gmail, Google Drive or Office 365, is a popular method for various attackers such as the KashmirBlack botnet developers, as it allows the malicious activity to seamlessly blend in with legitimate network traffic.
“Once we started going after those malware versions, we saw how the threat actor has become more stealthy and sophisticated.”
The latest version of the malware also enhanced code obfuscation by using a packer leveraging Costura, a legitimate, open-source tool that is used to protect code of certain products.
Once downloaded, ShellClient employs a broad array of espionage functionalities allowing for reconnaissance and data collection, including arbitrary command execution, lateral movement and file manipulation. In addition, the RAT has the ability to perform credential dumping by deploying an executable called lsa.exe. Researchers said they were unable to retrieve this executable - however, they speculated that it may be a variation of the SafetyKatz post-exploitation tool, due to both tools creating a dump file called debug.bin.
The malware appears to remain under active development, as indicated by several command functions that seem to do nothing and have no reference in the code, said researchers.
The attacks involving ShellClient were launched by a newly discovered threat group, which researchers dubbed MalKamak - a name derived from Kamak, an ancient Persian mythological creature known for spreading chaos. Researchers noted possible similarities in TTPs between MalKamak and various Iranian threat groups, including the Chafer APT group.
“While some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors,” said researchers.