Cybereason has published a new threat intelligence report, uncovering a highly-targeted cyber-espionage operation targeting global aerospace and telecommunications companies.
The report, titled Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms, details the stealthy attacks against companies in the Middle East, United States, Europe and Russia. The investigation reveals possible connections to several Iranian state-sponsored threat actors including Chafer APT (APT39) and Agrius APT.
The report identifies a newly discovered Iranian threat actor behind the attacks dubbed MalKamak that has been operating since at least 2018 and remained unknown until today.
In addition, the still-active campaign leverages a very sophisticated and previously undiscovered Remote Access Trojan (RAT) dubbed ShellClient that evades antivirus tools and other security apparatus and abuses the public cloud service Dropbox for command and control (C2).
Also Read: How to Counter DDoS Threats
Using the ShellClient RAT, the threat actor also deployed additional attack tools to perform various espionage activities on the targeted networks including additional reconnaissance, lateral movement in the environment, and the collection and exfiltration of sensitive data. Operation GhostShell is assessed to be run by a state-sponsored threat actor, or Advanced Persistent Threat (APT).
“The Operation GhostShell report revealed a complex RAT capable of evading detection since as early as 2018, and the recent DeadRinger report also uncovered a similarly evasive threat from as early as 2017, which tells us a lot about how advanced attackers are continuously defeating security solutions,” said Cybereason CEO and co-founder Lior Div.
He added, “Layering on more tools to produce even more alerts that overwhelm defenders is not helping us stop sophisticated attacks, which is why Cybereason takes an operation-centric approach that detects based on very subtle chains of behaviour where the adversary’s own actions work against them to reveal the attack at the earliest stages.”