Operation Ghost Cell, a cyberespionage campaign, targets aerospace and telecommunications industries in the Middle East and causes collateral damage in the U.S, Russia and Europe. The threat actors intended to obtain critical data about the organization’s infrastructure and technology. Investigators have found a new and stealthy RAT (Remote cTrojan) dubbed Shell client, used as an espionage tool.
The RAT tool has been developed over 3 years with several changes. RAT can go undetected by Antivirus tools. Security analysts evaluated the users and operators of Shell Client and inferred that an Iranian threat actor called MalKamak had been actively using this RAT.
Archie Agarwal, Founder and CEO at ThreatModeler, a Jersey City, N.J.-based automated threat modelling provider, says, “The sophistication of this previously unknown remote access trojan, coupled with the obfuscation techniques and command & control channel via well known online services to blend in with normal network traffic, demonstrates a level of expertise usually reserved for state-supported operators.”
Agarwal says, “The fact that critical industrial niches were targeted in specific geographic regions such as aerospace and telecoms reinforces this assumption. As the report suggests, similarities with previously known Iranian operational activities have lent credence to the suspicion this is of Iranian origin, however, attribution is difficult in a world full of false flag operations.”
Threat actors often target Dropbox as the system is a popular tool and holds valuable data.
“Dropbox does offer some significant security features — including strong encryption and use of 2-factor authentication — but ultimately, those options are not mandated to users. As a result, poorly secured accounts can often find the service being targeted by malicious actors,” he adds. “In this particular campaign, Dropbox was abused to host a command and control (C2) client. This is not a ground-breaking technique, and DropBox — as well as other popular cloud service providers like Microsoft — have been used to host malicious services. The DropBoxC2 tool encrypts traffic, which makes the network traffic appear legitimate to security solutions, and also being unlikely to raise any red flags with analysts searching through network logs.”