A new threat actor targeting organizations in the aerospace and telecommunications sectors with the ShellClient malware as part of Operation GhostShell. ShellClient is previously undocumented and stealthy RAT used to steal sensitive info from the victims.

Researchers attributed the campaigns to a new Iran-linked threat actor tracked as MalKamak, which have some connections with the APT39 group. Operation GhostShell is a highly targeted cyber espionage campaign that mainly hit entities in the Middle East, along with other victims in the U.S., Russia, and Europe.

The analysis of the malware employed in the recent Operation GhostShell (version 4.0.1) revealed it was compiled on May 22, 2021. The first version of the RAT is dated back 2018, it was a simple standalone reverse shell, across the years the malware evolved and its authors implemented new functionalities, such as code obfuscation improvements, the use of Costura packer, and new persistence methods.

According to the experts, the PDB path embedded in some of the ShellClient samples suggests that the RAT is part of a restricted or classified project that could be related to military or intelligence agency operations.

The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic.

Another interesting connection identified between these malware is based on past IP address resolutions of the domain used by ShellClient azure.ms-tech[.]us and a domain used by IPsec Helper whynooneistherefornoneofthem[.]com. Both of these domains have been resolved to both of the IP addresses 139.162.120.150 and 50.116.17.41. 

Upon examination of these IP addresses, they function as a sinkhole. Further examination of other domains that were resolved to these IP addresses in the past revealed a significant number of malicious domains that were used by Iranian APTs.