ShellClient is a previously undocumented remote access trojan (RAT) built with extra attention to its stealth capabilities on any system it infects.
Apparently, the malware was created in order to help with “highly targeted cyber espionage operations.”
When looking closely at the malware used to target companies in the aerospace and telecommunications sectors, a few researchers discovered a new threat actor that has been running cyberespionage campaigns since 2018.
ShellClient was linked to MalKamak, a malicious actor who exploited it to conduct reconnaissance and steal sensitive data from targets in the Middle East, the United States, Russia, and Europe.
Threat researchers discovered the ShellClient RAT during an incident response engagement that revealed cyber-espionage activities known as Operation GhostShell.
The virus was discovered on compromised PCs masquerading as “RuntimeBroker.exe,” a legitimate function that assists with permission management for programs from the Microsoft Store, according to Cybereason Nocturnus and Incident Response Teams.
Version 4.0.1 of the ShellClient variant used in Operation GhostShell bears the compilation date signature of May 22, 2021.
As explained by BleepingComputer, with each iteration discovered the virus became more functional and moved between multiple data exfiltration protocols and techniques (e.g., an FTP client, a Dropbox account).
- The earliest variant, from November 2018 seems to be less sophisticated, as it was acting as a simple reverse shell
- Variant V1, compiled in November 2018, has functions of both client and server and adds a new service persistence method concealed as a Windows Defender update service
- Variant V2.1, compiled in December 2018 manages to add FTP and Telnet clients, AES encryption, self-update function
- Variant V3.1, compiled in January 2019 had some minor modifications made and it removes the server component
- Variant V4.0.0, compiled in August 2021 is able to mark significant changes, like better code obfuscation and protection via Costura packer, dropping the C2 domain used since 2018, and adding a Dropbox client
Cybereason researchers sought evidence that would link ShellClient to a recognized opponent, but they concluded the malware is controlled by MalKamak, a new nation-state entity linked to Iranian hackers. This conclusion is based on coding style similarities, naming conventions, and tactics.
While some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors
MalKamak concentrates on highly focused cyber espionage activities, a notion backed up by the minimal number of samples found in the wild or telemetry data since 2018.
Furthermore, some ShellClients copies have a route for debugging files, implying that the malware may be part of a top-secret military or intelligence effort.