Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018.
Dubbed ShellClient, the malware is a previously undocumented remote access trojan (RAT) built with a focus on being stealthy and for “highly targeted cyber espionage operations.”
Researchers attributed ShellClient to MalKamak, a previously undisclosed threat actor that used it for reconnaissance operations and for stealing sensitive data from targets in the Middle East, the U.S., Russia, and Europe.
Stealthy RAT, active since 2018
The ShellClient RAT appeared on the radar of threat researchers in July during an incident response engagement that revealed cyber espionage activity now referred to as Operation GhostShell.
Cybereason Nocturnus and Incident Response Teams analyzed the malware and observed that it ran on infected machines disguised as “RuntimeBroker.exe,” a legitimate process that helps with permission management for apps from Microsoft Store.
The ShellClient variant used for Operation GhostShell shows a compilation date of May 22, 2021, and is referred to as version 4.0.1.
The researchers found that its evolution started since at least November 2018 “from a simple standalone reverse shell to a stealthy modular espionage tool.”
With each of the six iterations discovered, the malware increased its functionality and switched between several protocols and methods for data exfiltration (e.g. an FTP client, Dropbox account):
- Earliest variant, compiled in November 2018 – less sophisticated, acting as a simple reverse shell
- Variant V1, compiled in November 2018 – has functions of both client and server, adds new service persistence method concealed as a Windows Defender update service
- Variant V2.1, compiled in December 2018 – adds FTP and Telnet clients, AES encryption, self-update function
- Variant V3.1, compiled in January 2019 – minor modifications, removes the server component
- Variant V4.0.0, compiled in August 2021 – marks significant changes, like better code obfuscation and protection via Costura packer, dropping the C2 domain used since 2018, and adding a Dropbox client
New APT adversary
In its investigation, Cybereason looked for details that would link ShellClient to a known adversary but concluded that the malware is operated by a new nation-state group they named MalKamak, which is likely connected to Iranian hackers, as indicated by code style overlap, naming conventions, and techniques.
The researchers say that MalKamak focuses on highly targeted cyber espionage operations, a theory supported by the low number of samples discovered in the wild or telemetry data since 2018.
Furthermore, the path for debugging files available in some ShellClients samples suggests that the malware is part of a confidential project from a military or intelligence agency.
Cybereason created a brief summary of how MalKamak runs, its capabilities, infrastructure, and the types of victims it is interested in.
Cybereason makes available a set of indicators of compromise for all versions and samples of ShellClient they uncovered, command and control servers, user agents, encryption keys, and related files.
In a separate technical document, the researchers provide full analysis of all the variants they found during incident response engagements.