Tlc and aerospace, trojan discovered via Dropbox for spying on networks and assets

Operation GhostShell: Cybereason researchers have identified a RAT aimed at stealing sensitive information from critical infrastructures by leveraging cloud storage. Industry in the Middle East is mainly targeted, but there have also been victims in the United States, Russia and Europe 06 Oct 2021 Mi Fio A cyber espionage campaign against aerospace and telecommunications industries mainly in the Middle East but with victims also in the United States, Russia and Europe. To identify it, for the first time, a team of Cybereason researchers according to whom the trojan campaign has been going on since at least 2018. During the investigation, the Nocturnus team discovered a previously undocumented Remote Access Trojan (RAT), nicknamed ShellClient, which was used as the primary spying tool in the so-called GhostShell operation aimed at stealing sensitive information on critical assets, infrastructure and technologies. (HERE THE TECHNICAL DOCUMENT OF THE SURVEY). The team consisting of Assaf Dahan, Daniel Frank, Tom Fakterman and Chen Erlich found that the Rat ShellClient named MalKamak and of Iranian origin, was able to evade antivirus tools and managed to remain undetected and therefore publicly unknown. Furthermore, the research highlighted possible connections with other Iranian state-sponsored Apt threat actors such as Chafer Apt (APT39) and Agrius Apt. The attacks have been observed predominantly in the Middle East region, but also extend to the United States, Russia and Europe. Made operational for the first time in 2018, and in continuous development since then, the Rat GhostClient was able in each new version to add features and stealth and the attacks continued at least until last September. The most recent versions of ShellClient have worked to the detriment of cloud storage services through Dropbox, to go unnoticed and blend in with normal network traffic. During the first inspection of the Rat ShellClient, the trojan was found to be running as “svchost.exe”, and its internal name was disguised as “RuntimeBroker.exe”.

CORRCO ARTICLE