Home PC News Cybereason: Remote access Trojan targeted telecomms and aerospace

Cybereason: Remote access Trojan targeted telecomms and aerospace

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!

The Cybereason Nocturnus and Incident Response teams identified a sophisticated and previously undocumented remote access Trojan (RAT), dubbed ShellClient, used for highly targeted cyber espionage operations against top global aerospace and telecommunications companies across the U.S., Middle East, Europe, and Russia.

Diagram details the activities of MalKamak (a cyberespionage group) and its remote access Trojan, dubbed ShellClient, as well as its infrastructure and capabilities. The diagram also lists that ShellClient's main victims are aerospace and telecommunications groups from the Middle East, the US, Russia, and Europe.

These attacks were perpetrated by a newly discovered Iranian state sponsored threat group — dubbed MalKamak — that has been operating under the radar since at least 2018.

This operation has been ongoing for years, continuously evolving its malware year after year, while successfully evading most security tools. The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect. By studying the ShellClient development cycles, Cybereason researchers were able to observe how ShellClient has morphed over time from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations.

The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services — in this case, the popular Dropbox service. The ShellClient authors used Dropbox to exfiltrate the stolen data and send commands to the malware. Threat actors have increasingly adopted this tactic due to its simplicity and the ability to effectively blend in with legitimate network traffic. Ultimately, this discovery tells researchers a lot about the tactics that advanced attackers are using to defeat security solutions.

Read the full report by Cybereason.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Most Popular

Recent Comments