[MART] - Daily Diary #364 - ShellClient Malware Used In The Cyber Espionage Campaign "Operation GhostShell"

CTAS-MAT ctas-mat at appgate.com
Thu Oct 7 19:28:43 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/07/2021 - Diary entry #364:


Recently, a new Iran-linked threat actor named MalKamak (related to the APT39 group) has been discovered targeting entities in the aerospace and telecommunications sectors from the Middle East, and other victims in the U.S., Russia, and Europe - since at least 2018. As part of a cyber espionage campaign named Operation GhostShell, the attackers use a stealthy and undocumented Remote Access Trojan named ShellClient, to steal sensitive information from the victims.


In a recent campaign, the ShellClient RAT was found running on a victim's machines as the legitimate Microsoft Windows process "svchost.exe". The executable uses a known .NET packer called Costura to protect its modules, and stores most of its strings as bytes to evade detection. The threat actors used the ShellClient to deploy additional tools to perform lateral movement, credential dumping, and the WinRar to compress data before exfiltration. To send commands and receive stolen data, the attackers use Base64 and AES to encode and encrypt data, and Dropbox as its C2.


ShellClient evolved a lot since its first version in 2018, following now a trend abusing cloud-based storage services to disguise as legitimate network traffic, becoming a stealthy and dangerous threat. Our team has observed a lot of threat actors abusing those legitimate services, for example, the Brazilian Banking Trojan Numando (covered in our Daily Diary #351), abusing Youtube to parse the C&C address, and Dridex being delivered via Dropbox (covered in the Daily #225).

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211007/e56e5260/attachment.htm>

More information about the MART mailing list