A previously unknown advanced persistent threat group, likely backed by the Iranian government, has been quietly waging a sophisticated cyber-espionage campaign against aerospace and telecommunications companies since at least 2018.
The campaign has primarily targeted businesses in the Middle East and, more recently, the United States, Russia and Europe. Cybereason security researchers who tracked the campaign dubbed it Operation GhostShell and attributed it to a new group of threats they call MalKamak. Some of the recently discovered threat actor’s malicious code and tactics suggest at least a passing connection to other known Iranian-backed threat groups, such as APT39, aka Chafer, and Agrius APT.
In a new report, the security vendor describes MalKamak’s campaign as designed to steal sensitive information about infrastructure, technology and other critical assets from targeted organizations. Cybereason says it has so far identified at least 10 aerospace and telecommunications organizations that have been affected.
The reason MalKamak has been able to operate undetected since 2018 is the parsimonious and strategic way in which it has used its main weapon, a remote access Trojan (RAT) called ShellClient, says Assaf Dahan, Principal and Head of Threat Research at Cyberaison. The group’s use of sophisticated code obfuscation techniques and the recent switch to using Dropbox for command and control (C2) communications also played a role in keeping MalKamak’s activities undetected. earlier, Dahan said.
“There are very few samples of ShellClient found in the wild – we’re talking less than seven to eight samples in three years of activity,” he says. “This fact shows how careful operators have been to not burn their malware [and] how they used it to target specific organizations.” In addition, the malware authors implemented a kill function that instructs ShellClient to kill itself if its operators believe that its operation might be compromised.
“Obfuscating the code and moving away from their old C2 server infrastructure and moving to Dropbox as C2 also helped them fly under the radar for so long,” he says.
APT activity from Iran, backed by the nation-state, has intensified in recent years. Many campaigns began by focusing on organizations and entities in the Middle East or in countries of strategic importance to the Iranian government. Often, as with MalKamak, APT groups have ended up targeting organizations in the United States and other countries.
Cyber espionage has been the main motive for Iranian hacking activities in many cases. Last September, the US government indicted three Iranian nationals for their alleged role in a conspiracy to, among other things, steal intellectual property and other sensitive data from US aerospace and satellite tracking companies. On other occasions, Iranian threat groups – like groups from other countries – have campaigns to cyber-hack users for different purposes.
One of APT39’s missions, for example, has been to monitor dissidents and people of interest to the Iranian government, while Agrius APT was observed this year deploying data-erasing malware. and ransomware on systems belonging to targeted organizations.
“The Iranians, like any other nation with considerable computing capabilities, can engage in cyber warfare for a myriad of reasons and motivations,” Dahan said. “There have been earlier reports of attacks of a more destructive nature, while other attacks appeared to focus more on cyber espionage [and] some groups have engaged in both.”
MalKamak uses ShellClient to perform reconnaissance on target networks and to collect information about infected users and hosts. Additionally, they used the malware to execute arbitrary commands, escalate privileges, download additional tools and malware, and steal data. For example, Cybereason says it observed the threat actor using ShellClient to download the PAExec utility and use it for lateral movement. Similarly, MalKamak actors used the ShellClient RAT to download a credential dump tool. What makes ShellClient remarkable is how its authors have constantly tweaked the code so that it evolves over time from a simple reverse shell to a sophisticated spying tool, Dahan explains.
MalKamak himself proved highly evasive and used a series of operational security measures to stay under the radar. When Cybereason compared the group’s tactics, techniques and procedures with those used by other Iranian threat actors, it found some potentially interesting connections. But the similarities are far from sufficient to link MalKamak with any degree of certainty to other previously known entities in the country, Dahan says.
He concludes: “It was clear to us that we were looking for a new business group.