Malware

Iranian Hackers Attacked Aerospace and Telecom Firms using Dropbox

A new cyber espionage campaign has been reported recently by the security firm, Cybereason, and this campaign is executed using Dropbox which is directed against the aerospace and telecommunications industries in the Middle East.

They have claimed that this malicious campaign is operated by the MalKamak hacking group, and it’s an Iranian government-sponsored group.

Apart from this, the threat actors have mainly targeted the large aerospace and telecommunications sectors in the Middle East since 2018, but, they have also targeted these sectors in other countries as well like:-

  • The United States
  • Europe
  • Russia

ShellClient: The silent rat, active since 2018

ShellClient RAT has been operationalized and actively exploited since at least November 2018, and this attack was detected in July 2021 by the Cybereason.

After going through this it was concluded that the threat actors are using an undocumented and private RAT that is dubbed as ShellClient. 

In this event, the ShellClient RAT is operating their operation on victim machines as “svchost.exe” and its internal name was “RuntimeBroker.exe.”

Command and Control (C2) communications

The C2 communications that were being used by the threat actors in this malware attack are quite unique in nature. The C2 communications generally depend upon “cold files” that were being saved to a remote Dropbox, rather than a common interactive session. 

However, the procedure that is used by the threat actors in this malware attack is an impressive Operational Security (OPSEC) solution.

And the most important feature of this solution is to makes it hard to trace the hacker’s infrastructure by using a public service such as Dropbox.

Persistence and Privilege Escalation

The new ShellClient RAT has accomplished persistence and privilege escalation so that they can easily run with SYSTEM privileges on sufferer machines. And all this can be done by producing the nhdService that is being disguised as Network Hosts Detection Service:-

  • Service Name: nhdService
  • Display Name: Network Hosts Detection Service
  • Description: Searches and manages hosts in the Network and Dial-Up Connections folder, where both local area network and remote connections are viewable
  • Start Type: Automatic
  • Account: LocalSystem

Supported Commands

  • code10: Query hostname, malware version, executable path, IP address and Antivirus products
  • code11: Execute an updated version of ShellClient
  • code12: Self delete using InstallUtil.exe
  • code13: Restart the ShellClient service
  • code20: Start a CMD shell
  • code21: Start a PowerShell shell
  • code22: Add to the results message the following line: “Microsoft Windows Command Prompt Alternative Started …”
  • code23: Open a TCP Client
  • code24: Start a FTP client
  • code25: Start a Telnet client
  • code26: Execute a shell command
  • code29: Kill active CMD or PowerShell shell
  • code31: Query files and directories
  • code32: Create a Directory
  • code33: Delete files and folders
  • code34: Download a file to the infected machine
  • code35: Upload a File to Dropbox
  • code36: Does nothing
  • code37: Download a file to the infected machine and execute it
  • code38: Lateral movement using WMI

New APT adversary

This particular malware is being operated by a new nation-state group that is identified as MalKamak. And this threat group has likely connected to the Iranian Government, as designated by the code style overlap, naming conventions, and methods.

Apart from this, the very recent version of ShellClient has been observed in Operation GhostShell that generally follows the trend of exploiting cloud-based storage services, but in case of this malicious attack, it exploited the very popular Dropbox service.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

21 mins ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

14 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

15 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

17 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

17 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

21 hours ago