A previously undiscovered cyber-espionage campaign using never-before-seen malware is infiltrating global aerospace and telecommunications companies in a highly targeted operation that has been active since at least 2018 but has remained completely under the radar until July this year.
The campaign is the work of a newly disclosed Iranian hacking group dubbed MalKamak that has been detailed by cybersecurity company Cybereason Nocturnus, which discovered it after being called by a client to investigate a security incident.
Dubbed Operation GhostShell, the aim of the cyber-espionage campaign is compromising the networks of companies in the aerospace and telecoms industries to steal sensitive information about assets, infrastructure and technology. The targets – which haven’t been disclosed – are predominantly in the Middle East, but with additional victims in the United States, Europe and Russia. Each target appears to have been handpicked by the attackers.
SEE: Ransomware attackers targeted this company. Then defenders discovered something curious
“This is a very, very targeted type of attack,” Assaf Dahan, head of threat research at Cybereason, told ZDNet. “We’ve only managed to identify around 10 victims worldwide.”
MalKamak distributes a previously undocumented remote access trojan (RAT) known as ShellClient that is designed with espionage in mind – which is why it remained undetected for three years. One of the reasons the malware has remained so effective is because the authors have put a lot of effort into making it stealthy enough to avoid antivirus and other security tools. The malware receives regular updates so that this continues to be the case.
“Each iteration, they add more functionality, they add different levels of stealth,” said Dahan.
ShellClient has even started implementing a Dropbox client for command and control on target networks, making it difficult to detect because many companies might not notice or think much of yet another cloud collaboration tool performing actions, if they even notice it at all.
It’s all part of the plan to use the trojan to monitor systems, steal user credentials, secretly execute commands on networks and ultimately steal sensitive information. Each infected machine is given a unique ID so the attackers can keep track of their work during the weeks and months they’re snooping around compromised networks.
“Once they’re in, they start conducting extensive reconnaissance of the network. They map out the important assets – the crown jewels they would go for, key servers such as the Active Directory, but also business servers that contain the type of information that they’re after,” said Dahan.
The campaign successfully remained undetected until July, when researchers were called in to investigate an incident. It’s possible that the attackers got too confident in their tactics and overplayed their hand, leaving evidence that allowed researchers to identify the campaign and the malware being deployed.
“According to what we’re seeing, in the last year, they picked up the pace. Sometimes when you’re faster your you can be slightly sloppy or simply there’ll be more instances that would be detected,” Dahan explained.
Analysis of MalKamack’s tools and techniques led researchers to believe that the attacks were the work of a hacking operation working out of Iran, as one of the tools ShellClient RAT uses for credential dumping attacks is a variation of SafetKatz, which has been linked to previous Iranian campaigns. The targeting of telecoms and aerospace companies operating in the Middle East also aligns with Iran’s geopolitical goals.
SEE: A winning strategy for cybersecurity (ZDNet special report)
But while there are similarities to known Iranian state-backed cyber-espionage operations including Chafer (APT39), which uses similar techniques to target victims in the Middle East, US and Europe, as well as Agrius APT, which shares similarities in malware code, researchers believe that MalKamack is a new Iranian cyber operation – although it likely does have connections to other state-sponsored activity.
Researchers also believe that Operation GhostShell remains active and that MalKamack will continue to evolve how it conducts attacks in order to continue stealing information from targets. It’s currently not known how the attackers gain initial access to the network, but there’s the possibility it comes via phishing attacks or from exploiting unpatched vulnerabilities.