The campaign has mainly targeted firms in the Middle East and more recently, the United States, Russia, and Europe. Security researchers from Cybereason who have been tracking the campaign have dubbed it Operation GhostShell and attributed it to a new threat group they are calling MalKamak. Some of the newly discovered threat actor’s malware code and tactics suggest at least a passing connection to other known Iran-backed threat groups, such as APT39, aka Chafer, and Agrius APT.
In a new report, the security vendor describes MalKamak’s campaign as designed to steal sensitive information about the infrastructure, technology, and other critical assets of targeted organizations. Cybereason says it has so far spotted at least 10 organizations in the aerospace and telecommunications sector that have been affected.
The reason MalKamak has been able to operate without being detected since 2018 is the sparing and strategic way in which it has used its main weapon, a remote access Trojan (RAT) called ShellClient, says Assaf Dahan, senior director and head of threat research at Cybereason. The group’s use of sophisticated code obfuscation techniques and a recent switch to the use of Dropbox for command-and-control (C2) communications have also played a role in keeping MalKamak’s activities from being spotted sooner, Dahan says.
“There are very few samples of ShellClient found in the wild — we’re talking about less than seven to eight samples in three years of activity,” he says. “This fact demonstrates how careful the operators were not to burn their malware [and] how they used it to target specific organizations.” In addition, the authors of the malware have implemented a kill function that instructs ShellClient to delete itself if its operators believe their operation might be jeopardized.
“Code obfuscation and abandoning their old C2 server infrastructure and switching to Dropbox as C2 also assisted them to fly under the radar for such a long time,” he says.
Nation state-backed APT activity out of Iran has escalated in recent years. Many of the campaigns have started out being focused on organizations and entities in the Middle East or in countries of strategic importance to Iran’s government. Often — as with MalKamak — the APT groups have ended up targeting organizations in the US and other countries.
Cyber espionage has been the main motive for Iranian hacking activity in many cases. Last September, the US government indicted three Iranian nationals for their alleged role in a conspiracy to, among other things, steal intellectual property and other sensitive data from US aerospace and satellite tracking firms. On other occasions, Iranian threat groups — like groups from other countries — have user cyber-hacking campaigns for different purposes.
One of APT39’s missions, for instance, has been to conduct surveillance on dissidents and people of interest to the Iranian government, while Agrius APT was observed this year deploying data-wiping malware and ransomware on systems belonging to targeted organizations.
“The Iranians, just like any other nation with considerable cyber capabilities, can engage in cyber warfare for a myriad of reasons and motivations,” Dahan says. “There have been past reports about attacks of a more destructive nature, while other attacks seemed to focus more on cyber espionage [and] certain groups have engaged in both.”
MalKamak has been using ShellClient to conduct reconnaissance on target networks and to collect information about users and infected hosts. In addition, they have used the malware to run arbitrary commands, to elevate privileges, download additional tools and malware and to steal data. For example, Cybereason says it observed the threat actor using ShellClient to download the PAExec utility and use it for lateral movement. Similarly, MalKamak actors have used the ShellClient RAT to download a credential dumping tool. What makes ShellClient noteworthy is the way its authors have constantly kept tweaking the code so that it has evolved over time from a simple reverse shell to a sophisticated espionage tool, Dahan says.
MalKamak itself has proved to be very evasive and has employed a range of operational security measures to stay under the radar. When Cybereason compared the group’s tactics, techniques, and procedures with those used by other Iranian threat actors, it did find some potentially interesting connections. But the similarities have been nowhere near enough to link MalKamak with any degree of certainty to other, previously known entities from the country, Dahan says.
He concludes: “It was clear to us we were looking at a new activity group.”