Security researchers have uncovered cyberespionage operations by an Iran-based hacker group targeting aerospace and telecom firms with a previously undocumented stealthy Trojan program that's been in use since 2018. Security firm Cybereason has dubbed the campaign Operation GhostShell and said it targeted primarily companies in the Middle East, but also in the US, Europe and Russia. The goal of the attacks is the theft of information about the victims' infrastructure, technology and critical assets.
While the researchers believe this cyberespionage group, called MalKamak, is new and distinct from previously documented groups, there is evidence pointing to possible connections to known Iranian government-sponsored groups such as Chafer APT (APT39) and Agrius APT.
The ShellClient RAT
The group's main malware tool is a remote access Trojan (RAT) called ShellClient that has been in development and likely active use since 2018, as different versions with functionality improvements have been identified. "The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect," the researchers said.
The Trojan is created with an open-source tool called Costura that enables the creation of self-contained compressed executables with no external dependencies. This might also contribute to the program's stealthiness and to why it hasn't been discovered and documented until now after three years of operation. Another possible reason is that the group only used it against a small and carefully selected pool of targets, even if across geographies.
ShellClient has three deployment modes controlled by execution arguments. One installs it as a system service called nhdService (Network Hosts Detection Service) using the InstallUtil.exe Windows tool. Another execution argument uses the Service Control Manager (SCM) to create a reverse shell that communicates with a configured Dropbox account. A third execution argument only executes the malware as a regular process. This seems to be reserved for cases where attackers only want to gather information about the system first, including which antivirus programs are installed, and establish if it's worth deploying the malware in persistence mode.
The Trojan uses Dropbox for command-and-control to evade network-level detection. All the data sent to the Dropbox account is encrypted with a hard-coded AES encryption key to add a layer of further traffic obfuscation. The way the malware receives commands is passive. Attackers create files in a particular folder on the Dropbox account that the malware checks every few seconds. These files correspond to certain commands and where they are detected, the malware deletes the files, executes the command, and uploads the output as a file in a different folder. Each file contains a unique ID identifying the victim.
ShellClient implements multiple functionalities and commands including file and directory operations, opening CMD and PowerShell shells, executing shell commands, starting TCP, FTP and Telnet clients, downloading and executing files on the machine and performing various lateral movement actions through the Windows Management Instrumentation (WMI) toolset.
Lateral movement and Iranian APT connections
The Cybereason researchers observed the attackers use popular tools like PAExec (a version of PsExec) and â€œnet use" to execute files on remote systems. They also saw credential dumping from the lsass.exe process with a tool dubbed lsa.exe that they suspect is a version of SafetyKatz -- an open-source variant of Mimikatz that has been used by other Iranian APT groups in the past. A standalone version of WinRAR was also used to archive files before exfiltration.
The first ShellClient version that Cybereason's Nocturnus team identified was compiled in August and included a version string of 4.0. This suggested there might be older versions out there and indeed, several older versions dating back to November 2018 were later found. These had different sets of functionalities, suggesting constant development and improvement over time.
The use of the Costura packer and the use of Dropbox for command-and-control was only added in the latest version, which also saw other significant architectural changes. However, some of the code structure, routines and techniques used in previous versions are similar to those seen in malware from other Iranian APT groups.
"The Nocturnus team compared our observations with previous campaigns that were attributed to known Iranian threat actors and were able to point out some interesting similarities between ShellClient and previously reported Iranian malware and threat actors," the researchers said. "However, at this point, our estimation is that this operation was carried out by a separate activity group, dubbed MalKamak, which has its own distinct characteristics that distinguish it from the other groups."