MalKamak, the Iranian hacking group targeting telecommunications and aerospace companies

Cybersecurity specialists report the detection of a new Iranian hacking group that has been employing a never seen before variant of remote access Trojan (RAT). The cybercriminal group was identified as MalKamak and the campaign is known as Operation GhostShell.

The campaign, identified by security firm Cybereason, was first detected in June 2021, with attackers using a RAT dubbed ShellClient to target aerospace and telecommunications companies in the Middle East, Russia and some European Union countries.

Since its detection in 2018, MalKamak has evolved incredibly, from using a simple reverse shell to employing a sophisticated cyberespionage tool. Investigators concluded that MalKamak is a group of Iranian origin due to the similarities between its tactics and those employed by Agrius, another Iran-based hacking group that is characterized by constantly targeting public and private organizations in Israel.

About ShellClient, experts mention that the RAT is designed to go unnoticed on the target system and is even capable of establishing C&C connection with Dropbox, allowing threat actors to mix malicious activity with legitimate traffic from those sites.

Communication with Dropbox requires the Dropbox API with a unique built-in API key and data encryption using an encrypted AES encryption key. This makes it difficult for victims to detect C&C communications, as this requires rebuilding Dropbox folders elsewhere in the service.

Dropbox storage contains three folders: an agent folder to store information uploaded from affected machines; a command folder that stores the commands that ShellClient will use; and a results folder that stores the output of commands executed by ShellClient. The shell checks the command folder every two seconds.

As mentioned above, the current version of ShellClient shows a breakthrough from the first time it was detected. Among the new features of the shell is a new service persistence method, hidden as a Windows Defender update service.

Experts conclude by mentioning that Operation GhostShell seems to employ one of the most advanced malicious developments in the world of cybercrime, showing a rapid evolution but also leaving some clues that hackers still do not reach their full potential.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.