Iranian hackers attack aerospace and telecom companies
The criminals used ShellClient spyware during the campaign.
Cybersecurity experts from Cybereason Nocturnus have reported a malicious cyber-espionage campaign that has been running since at least 2018. The criminals used ShellClient, a Remote Access Trojan (RAT) malware, during the campaign.
Researchers have linked ShellClient to a cybercriminal group dubbed MalKamak, which used malware to conduct intelligence operations and steal sensitive data from targets in the Middle East, the United States, Russia and Europe.
ShellClient RAT came to the attention of cyber security experts in July during the analysis of a cyber-espionage operation called Operation GhostShell. According to experts, the malware runs on infected devices under the guise of a legitimate RuntimeBroker.exe process, which helps to manage permissions for applications from the Microsoft Store. The ShellClient variant used for Operation GhostShell shows a compile date of May 22, 2021 and is version 4.0.1.
The researchers found that the modification of the malware began at least in November 2018 “from a simple self-contained reverse shell to a hidden modular espionage tool.” With each of the six detected iterations, the malware developers increased its functionality and switched between several protocols and methods of data theft (for example, FTP client, Dropbox account).
- The earliest version, developed in November 2018, is less complex and acts like a simple reverse shell;
- V1, compiled in November 2018, has both client and server functionality, adds a new persistence method masquerading as Windows Defender Update.
- V2.1 was compiled in December 2018 and added FTP and Telnet clients, AES encryption, and a self-updating feature.
- V3.1, compiled in January 2019, received minor changes and lost the server-side;
- V4.0.0, compiled in August 2021, has significant changes such as improved code obfuscation and protection with the Costura wrapper, removal of the C&C server domain used since 2018, and the addition of Dropbox client.
The experts concluded that the malware is operated by an allegedly Iranian group, as indicated by the coincidence of code styles, naming conventions and methods with other Iranian groups, in particular, Chafer (APT39) and Agrius.
Catch up on more articles here
Follow us on Twitter here