Iranian APT targets aerospace and telecoms companies with ShellClient stealth Trojan
Security researchers have uncovered cyber espionage operations carried out by an Iranian-based hacker group targeting aerospace and telecommunications companies with an undocumented stealth Trojan program in use since 2018. Security firm Cybereason has dubbed the Operation GhostShell campaign and said it primarily targets Middle Eastern businesses. in the East, but also in the United States, Europe and Russia. The objective of the attacks is the theft of information about the infrastructure, technology and critical assets of victims.
While researchers believe this cyber espionage group, called MalKamak, is new and distinct from previously documented groups, there is evidence indicating possible links to known Iranian government sponsored groups such as Chafer APT (APT39) and Agrius APT. .
The RAT ShellClient
The main malicious tool of the group is a Remote Access Trojan (RAT) called ShellClient which has been under development and probably actively used since 2018, as different versions with feature enhancements have been identified. “The authors of ShellClient have put a lot of effort into making it stealthy to escape detection by antivirus and other security tools by exploiting several obfuscation techniques and recently implementing a Dropbox client for command and control (C2 ), which makes it very difficult to detect. The researchers said in their report.
The Trojan is created with an open source tool called Costura which allows the creation of self-contained compressed executables without external dependencies. It could also contribute to the stealthiness of the program and why it has not been discovered and documented until now after three years of operation. Another possible reason is that the group only used it against a small group of carefully selected targets, even though they are spread across multiple geographies.
ShellClient has three deployment modes controlled by runtime arguments. It is installed as a system service called nhdService (Network Hosts Detection Service) using the Windows tool InstallUtil.exe. Another runtime argument uses the Service Control Manager (SCM) to create a reverse shell that communicates with a configured Dropbox account. A third runtime argument only runs the malware as a normal process. This seems to be reserved for cases where attackers only want to collect information about the system first, including installed antivirus programs, and determine whether it is worth deploying the malware in persistent mode.
The Trojan uses Dropbox for command and control in order to evade detection at the network level. All data sent to the Dropbox account is encrypted with a hard-coded AES encryption key to add a layer of traffic obfuscation. The way the malware receives commands is passive. Attackers create files in a particular folder on the Dropbox account which the malware checks every few seconds. These files correspond to certain commands, and when detected, the malware deletes the files, runs the command, and downloads the output as a file to a different folder. Each file contains a unique identifier identifying the victim.
ShellClient implements several features and commands, including file and directory operations, opening CMD and PowerShell shells, running shell commands, starting TCP, FTP, and Telnet clients, downloading and running files on the machine and performing various lateral movement actions through the Windows Management Instrumentation (WMI) toolset.
Lateral movement and Iranian APT connections
Cybereason researchers observed that attackers used popular tools such as PAExec (a version of PsExec) and “net use” to execute files on remote systems. They also saw the credentials dump of the lsass.exe process with a tool called lsa.exe which they suspect is a version of SafetyKatz – an open source variant of Mimikatz that has been used by other Iranian APT groups. in the past. A standalone version of WinRAR was also used to archive files before exfiltration.
The first version of ShellClient identified by Cybereason’s Nocturnus team was compiled in August and included a version 4.0 string. This suggests that there might be older versions and, indeed, several older versions dating back to November 2018 were found later. These had different sets of features, suggesting constant development and improvement over time.
The use of the Costura packer and the use of Dropbox for command and control were only added in the latest version, which also saw other significant architectural changes. However, some of the code structures, routines, and techniques used in previous releases are similar to those seen in malware from other Iranian APT groups.
“The Nocturnus team compared our observations with previous campaigns attributed to known Iranian actors and were able to highlight interesting similarities between ShellClient and previously reported Iranian malware and actors,” the researchers said. “However, at this point, our estimate is that this operation was carried out by a separate business group, dubbed MalKamak, which has its own distinct characteristics that set it apart from other groups.”
Copyright © 2021 IDG Communications, Inc.