Hackers Use ShellClient Stealth Malware on Aerospace and Telecom Companies


Hackers Use Stealthy ShellClient Malware on Aerospace and Telecom Companies

Threat researchers investigating malware used to target companies in the aerospace and telecommunications industries have discovered a threatening new player who has been carrying out cyber espionage campaigns since at least 2018.

Nicknamed ShellClient, the malware is a previously undocumented Remote Access (RAT) Trojan horse designed to be stealthy and for “highly targeted cyber espionage operations”.

Researchers attributed ShellClient to MalKamak, a previously undisclosed threat actor who used it for reconnaissance operations and to steal sensitive data from targets in the Middle East, the United States, Russia and Europe.

Stealth RAT, active since 2018

The ShellClient RAT appeared on threat researchers’ radar in July during an incident response engagement that revealed cyber espionage activity now referred to as Operation GhostShell.

Cybereason Nocturnus and incident response teams analyzed the malware and observed that it was running on infected machines disguised as “RuntimeBroker.exe”, a legitimate process that makes it easier to manage permissions for Microsoft Store apps.

The ShellClient variant used for the GhostShell operation displays a build date of May 22, 2021 and is called version 4.0.1.

Evolution ShellClient since 2018

The researchers discovered that its evolution had started since at least November 2018 “from a simple autonomous inverted shell to a stealth modular spy tool”.

In each of the six iterations discovered, the malware increased its functionality and switched between several protocols and data exfiltration methods (e.g., an FTP client, a Dropbox account):

  • Oldest variant, compiled in November 2018 – less sophisticated, acting like a simple inverted shell
  • Variant V1, compiled in November 2018 – has both client and server functions, adds new service persistence method hidden as Windows Defender Update Service
  • Variant V2.1, compiled December 2018 – adds FTP and Telnet clients, AES encryption, self-update function
  • Variant V3.1, compiled in January 2019 – minor changes, removes the server component
  • Variant V4.0.0, compiled in August 2021 – marks significant changes, such as better code obfuscation and protection via the Costura packer, the removal of the C2 domain used since 2018 and the addition of a Dropbox client

New APT opponent

In its investigation, Cybereason looked for details that would link ShellClient to a known adversary, but concluded that the malware is being exploited by a new group of nation-states they named MalKamak, which is likely linked to Iranian hackers. , as indicated by the overlapping styles of code, the naming conventions and techniques.

“Although some possible links with known Iranian threat actors have been observed, our conclusion is that MalKamak is a new and distinct business group, with unique characteristics that set it apart from other known Iranian threat actors” – Cybereason

Researchers say MalKamak is focused on highly targeted cyber espionage operations, a theory supported by the low number of samples discovered in the wild or telemetry data since 2018.

Additionally, the debugging path of the files available in some ShellClients samples suggests that the malware is part of a confidential project of a military or intelligence agency.

Cybereason has created a brief summary of how MalKamak works, his abilities, infrastructure, and the types of victims he’s interested in.

MalKamak Threat Actor

Cybereason provides a set of indicators of compromise for all versions and samples of ShellClient they have discovered, command and control servers, user agents, encryption keys and associated files.

In a separate technical paper, the researchers provide a comprehensive analysis of all the variants they found during incident response missions.


Please enter your comment!
Please enter your name here