"Threat researchers" investigating malware used to target companies in the aerospace and telecommunications sectors have discovered a new threat agent that has been conducting cyber espionage campaigns since at least 2018. Named ShellClient, the malware is a Remote Access (RAT) trojan created with the emphasis on being hidden and for "highly targeted cyber espionage operations".
Researchers attributed ShellClient to MalKamak, an unknown threat agent who used it for reconnaissance operations and to steal sensitive data from targets in the Middle East. USA, Russia and Europe.
Stealthy RAT is active from 2018
The ShellClient RAT appeared on threat investigators' radar in July during an anti-spam incident that uncovered cyber espionage activity now referred to as Operation GhostShell.
Cybereason Nocturnus and Incident Response teams analyzed the malware and found that it worked on infected machines disguised as "RuntimeBroker.exe", a legal process that helps manage licenses for applications from Microsoft Store.
The ShellClient variant used for the GhostShell function has a collection date of 22 May 2021 and is referred to as version 4.0.1.
The researchers found that its evolution began at least in November 2018 "from a simple autonomous reverse shell to a covert espionage tool."
With each of the six iterations discovered, the malware increased its functionality and switched between many protocols and methods for data exfiltration (eg FTP client, Dropbox account):
- The older variant, written in November 2018 - less advanced, works as a simple reverse shell
- The V1 variant, developed in November 2018 - has both client and server functions, adds a new persistence method that is hidden as a Windows Defender update service
- Version V2.1, developed in December 2018 - adds FTP and Telnet clients, AES encryption, auto update function
- Version V3.1, developed in January 2019 - minor modifications, removes the server component
- Version V4.0.0, developed in August 2021 - marks significant changes, such as better obfuscation and code protection through the Costura package, the abandonment of the C2 domain used since 2018 and the addition of a Dropbox client
In its investigation, Cybereason looked for details linking ShellClient to a known adversary, but concluded that the malware was operated by a new group called MalKamak, which may be linked to Iranians. hacker, as indicated by code style overlap and techniques.
Researchers say the MalKamak team focuses on high-level cyber espionage operations, a theory backed by the low number of samples discovered since 2018.
In addition, the file debugging path available on some ShellClients samples suggests that the malware is part of a confidential military or intelligence project.
Cybereason provides a brief overview of MalKamak, how it operates, its capabilities, its infrastructure, and the types of victims it targets.
Source of information: bleepingcomputer.com