Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms
Recent events in cyber security world speak of attacks on aerospace and telecommunications industries. The targeted industries are mainly based in the Middle East.
A US-based cyber security firm spotted some suspicious activity sometime in the middle of 2021, when it was on a routine surveillance. They learnt that the stealthy remote access Trojan (RAT) that went by the name of ShellClient was working with an aim of stealing sensitive information. Lying low and undetected, ShellClient, had their eyes on critical assets, infrastructure and technology of the industries they were targeting.
Some researchers have revealed that the RAT has been on the run since at least late 2018. Developments on the malware involving a number of iterations, responsible for new functionalities and greater damaging capabilities, remained an ever continuing process. While working on these developments, the hacker group has managed to remain undetected and unidentified evading the prying eyes of cyber security professionals.
The researchers at ‘Cybereason’ have also detected that the threat initially acted as a stand-alone malware. But as time passed and continuous development added new functionalities and capabilities, the malware was able to launch attacks with far greater venom. What’s more, the malware used an obscure executable that went by the initials ‘lsa.exe’ which effectively performed credential dumping, which created hurdles for security experts to identify the perpetrators.
Further investigations into the attribution of the cyber attacks have identified MalKamak as the malware with Iranian origin. There is reason to believe that the malware may have links to other Iranian threat actors like Chafer APT, also known as APT39, and Agrius APT which gained notoriety in cyber security circles as a malware posing as ransomware to disguise its true capability directed at data-wiping of Israeli entities.
ShellClient RAT is a versatile malware capable of executing finger printing and registry operations. The RAT can also infiltrate cloud storage for command and control communications. This activity helps also the malware to blend with legitimate traffic and avoid detection.
The detection and identity of ShellClient RAT occurred only days after the discovery of a similar threat known ChamelGang. Researchers, through various sources, tied this malware to a bevy of attacks on fuel, energy, aviation and communication industries.
Happenings like these provide material for researchers to learn more about the modus operandi of hackers who act individually and in groups.