Posted on Leave a comment

Operation GhostShell Uses MalKamak APT to Target Aerospace And Telco Firms .

Operation GhostShell is a highly targeted cyber espionage campaign that mainly targeted companies in the Middle East and also in the United States, Russia, and Europe. The purpose of the attacks  is to steal information about the victims infrastructure, technology and important resources.

During the investigation, the Nocturnus Team discovered ShellClient, a previously unknown and covert RAT that was used as the main espionage instrument.

“During the investigation, efforts were made to identify instances of the ShellClient code and to determine its origin or affiliation with known threat actors. Given the fact that ShellClient was previously undocumented and unknown at the time of the investigation, and the identity of the threat actor behind the attack was unclear, the Nocturnus Team first attempted to find links to known adversary groups that have carried out similar attacks in the past against this industry and the affected regions. 

While some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors. In publishing this data, it is hoped that more attention will be given to this threat and over time more information about ShellClient origins will emerge” reads the blogpost.

The original version of the RAT was released in 2018 and it was a simple standalone reverse shell. As the virus matured over time, its creators added new features such as improved code obfuscation, the usage of Costura packer and new persistence techniques.

image12-Oct-04-2021-03-18-44-06-PM
Source:Cyberreason

The malware’s capabilities increased with each version and it switched between numerous protocols and techniques for data exfiltration (e.g., an FTP client, a Dropbox account)

  • Earliest variant, compiled in November 2018 – less sophisticated, acting as a simple reverse shell.
  • Variant V1, compiled in November 2018 – has functions of both client and server, adds new service persistence method concealed as a Windows Defender update service.
  • Variant V2.1, compiled in December 2018 – adds FTP and Telnet clients, AES encryption, self-update function.
  • Variant V3.1, compiled in January 2019 – minor modifications, removes the server component.
  • Variant V4.0.0, compiled in August 2021 – marks significant changes, like better code obfuscation and protection via Costura packer, dropping the C2 domain used since 2018, and adding a Dropbox client.

The most recent ShellClient versions discovered during Operation GhostShell continue the theme of abusing cloud-based storage systems. The designers of ShellClient elected to ditch their prior C2 domain and replace the malware’s command and control mechanism with a more simple yet stealthy C2 channel that uses Dropbox to exfiltrate stolen data and deliver commands to the malware.

The investigation into Operation GhostShell also revealed that ShellClient dates back to at least 2018, and has been continuously evolving ever since while successfully evading most security tools and remaining completely unknown. By studying the ShellClient development cycles, the researchers were able to observe how ShellClient has morphed over time from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations while remaining undetected. ” concludes the blogpost.

INDICATORS OF COMPROMISE

SHA-256 Hashes

  • 21cc9c0ae5f97b66d69f1ff99a4fed264551edfe0a5ce8d5449942bf8f0aefb2 – V0
  • 5d5ff74906d2666be0fbfe420c5d225684aa1cb516fffc32cfeee9e788e4b6e4 – V1
  • 186ab2a5662c5e3994ee1cbfcf9e7842f1e41b1a4041c67f808914dfc8850706 – V2.1
  • A541afa0e73c3942b8c3645a3ba1ea59c4d6e1110e271be34fdb6a8c02a299e2 – V3.1
  • 49c41771e8e348b30de43d1112221c71a6497794b541fead7f3b2eab706afba3 – V4.0.0
  • 2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7 – V4.0.1
  • 19e040305fb57592bb62b41c24e9b64162e1e082230a356a304a3193743b102d – ClientCore.dll (V4.0.1)
  • d7aa669de0f8a0cdb898cf33ac38ae65461de3c8c0c313c82ee8d48e408e4c4d – ExtensionLib.dll (V4.0.0 and V4.0.1)
  • 6b7b6e973779c1a07891cc1fa7b3e4078a1308c4114296eb3ea429e08793efe0 – ClientCore.dll (V4.0.0)

Domains

  • azure.ms-tech[.]us
  • ms-tech[.].us

User Agents (V4.0.1)

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
  • Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
  • Mozilla/5.0 (Windows NT 10.0; rv:66.0) Gecko/20100101 Firefox/66.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 h1atfoAh-17 Firefox/66.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0
  • Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0
  • Mozilla/5.0 (Windows NT 10.0; rv:65.0) Gecko/20100101 Firefox/65.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3790.0 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3782.0 Safari/537.36 Edg/76.0.152.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3730.0 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36

Service Names

  • WinDefUpd
  • nhdService

ShellClient V4 Encryption IOCs

  • Encryption key

158 98 64 73 240 26 162 43 95 71 180 125 45 225 114 84 107 246 64 39 14 173 113 32 153 101 212 45 242 46 234 67

  • Decoded: .b@Ið.¢+_G´}-árTkö@’..q .eÔ-ò.êC
  • IV

122 86 251 223 55 35 147 167 215 71 111 210 28 161 154 55

  • Decoded: zVûß7#.§×GoÒ.¡.7

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply