Threats Feed|MalKamak|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date06/10/2021

MalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,RAT
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Operation GhostShell is a cyber espionage campaign targeting aerospace and telecommunications companies, primarily in the Middle East, with victims in the U.S., Russia and Europe. The operation, carried out by the Iranian group MalKamak, uses a stealthy, evolving remote access trojan (RAT) called ShellClient, which has been in development since 2018. ShellClient evades detection through masquerading, AES encryption and WMI-based reconnaissance. The attackers used tools such as PAExec for lateral movement and lsa.exe for credential dumping. Data exfiltration was facilitated by using WinRar to compress stolen information before sending it via Dropbox.

Reference and Credit: Cybereason - October 2021

Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms

Detected Targets

TypeDescriptionConfidence
SectorAerospace
Verified
SectorTelecommunication
Verified
RegionMiddle East Countries
Verified
RegionRussia
Verified
RegionUnited States
Verified
RegionEuropean Countries
Verified

Extracted IOCs

  • whynooneistherefornoneofthem[.]com
  • azure.ms-tech[.]us
  • 1f52b1901edcfff20e2fb436057a27b2
  • 370050d967040f4a4b0dd71bee533089
  • 57f4c3daa3fb6c5155cb40c60d634688
  • 59649501055e1a6b95ac5d050b54d864
  • 7cba41b2cab8e8a263167dacc5dc96eb
  • f6ce0d336eee1969de143373c2b71f29
  • 4f0ffee3bed7a6dd31f1d1dd17f73045b6b4fdec
  • 5bf29e7c3b1e3c6743af039689da102f0f877a9f
  • 6ce5aab58901c641fc7e8a2bec6dc3308459b820
  • 6f81ccb61dcd79cc5fd23c2b6289c2350eee7c36
  • b5ea3a577a1b39458d8f493abdc14c406abaca96
  • e0689982c9182f1c2be0e015b3c0f6e0fc6008f8
  • 186ab2a5662c5e3994ee1cbfcf9e7842f1e41b1a4041c67f808914dfc8850706
  • 21cc9c0ae5f97b66d69f1ff99a4fed264551edfe0a5ce8d5449942bf8f0aefb2
  • 2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7
  • 49c41771e8e348b30de43d1112221c71a6497794b541fead7f3b2eab706afba3
  • 5d5ff74906d2666be0fbfe420c5d225684aa1cb516fffc32cfeee9e788e4b6e4
  • a541afa0e73c3942b8c3645a3ba1ea59c4d6e1110e271be34fdb6a8c02a299e2
  • 139[.]162.120.150
  • 50[.]116.17.41
download

Tip: 22 related IOCs (2 IP, 2 domain, 0 URL, 0 email, 18 file hash) to this threat have been found.

Overlaps

MalKamakMalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT

Source: Hive Pro - October 2021

Detection (six cases): 186ab2a5662c5e3994ee1cbfcf9e7842f1e41b1a4041c67f808914dfc8850706, 21cc9c0ae5f97b66d69f1ff99a4fed264551edfe0a5ce8d5449942bf8f0aefb2, 49c41771e8e348b30de43d1112221c71a6497794b541fead7f3b2eab706afba3, 5d5ff74906d2666be0fbfe420c5d225684aa1cb516fffc32cfeee9e788e4b6e4, a541afa0e73c3942b8c3645a3ba1ea59c4d6e1110e271be34fdb6a8c02a299e2, azure.ms-tech[.]us

AgriusAgrius: From Espionage to Destructive Cyber Attacks in the Middle East

Source: Sentinelone - May 2021

Detection (one case): whynooneistherefornoneofthem[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MalKamak
View MalKamak's Insights