Threat researchers investigating malware used to target companies in the aerospace and telecommunications industries have discovered a threatening new player who has been carrying out cyber espionage campaigns since at least 2018.
Nicknamed ShellClient, the malware is a previously undocumented Remote Access (RAT) Trojan horse designed to be stealthy and for “highly targeted cyber espionage operations”.
Researchers attributed ShellClient to MalKamak, a previously undisclosed threat actor who used it for reconnaissance operations and to steal sensitive data from targets in the Middle East, the United States, Russia and Europe.
Stealth RAT, active since 2018
The ShellClient RAT appeared on threat researchers’ radar in July during an incident response engagement that revealed cyber espionage activity now referred to as Operation GhostShell.
Cybereason Nocturnus and incident response teams analyzed the malware and observed that it was running on infected machines disguised as “RuntimeBroker.exe”, a legitimate process that makes it easier to manage permissions for Microsoft Store apps.
The ShellClient variant used for the GhostShell operation displays a build date of May 22, 2021 and is called version 4.0.1.
The researchers discovered that its evolution had started since at least November 2018 “from a simple autonomous inverted shell to a stealth modular spy tool”.
In each of the six iterations discovered, the malware increased its functionality and switched between several protocols and data exfiltration methods (e.g., an FTP client, a Dropbox account):
- Oldest variant, compiled in November 2018 – less sophisticated, acting like a simple inverted shell
- Variant V1, compiled in November 2018 – has both client and server functions, adds new service persistence method hidden as Windows Defender Update Service
- Variant V2.1, compiled December 2018 – adds FTP and Telnet clients, AES encryption, self-update function
- Variant V3.1, compiled in January 2019 – minor changes, removes the server component
- Variant V4.0.0, compiled in August 2021 – marks significant changes, such as better code obfuscation and protection via the Costura packer, the removal of the C2 domain used since 2018 and the addition of a Dropbox client
New APT opponent
In its investigation, Cybereason looked for details that would link ShellClient to a known adversary, but concluded that the malware is being exploited by a new group of nation-states they named MalKamak, which is likely linked to Iranian hackers. , as indicated by the overlapping styles of code, the naming conventions and techniques.
Researchers say MalKamak is focused on highly targeted cyber espionage operations, a theory supported by the low number of samples discovered in the wild or telemetry data since 2018.
Additionally, the debugging path of the files available in some ShellClients samples suggests that the malware is part of a confidential project of a military or intelligence agency.
Cybereason has created a brief summary of how MalKamak works, his abilities, infrastructure, and the types of victims he’s interested in.
Cybereason provides a set of indicators of compromise for all versions and samples of ShellClient they have discovered, command and control servers, user agents, encryption keys and associated files.
In a separate technical paper, the researchers provide a comprehensive analysis of all the variants they found during incident response missions.
- Russian state hackers use new TinyTurla malware as secondary backdoor
- Chinese hackers use zero-day windows to attack defense, IT companies
- New malware uses Windows for Linux subsystem for stealth attacks
- GhostEmperor hackers use new Windows 10 rootkit in attacks
- State-backed hackers break into telecommunications with custom malware