Threats Feed|MalKamak|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date07/10/2021

MalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,RAT
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iranian APT group MalKamak has been targeting aerospace and telecommunications companies in the Middle East since at least 2018, with additional victims in the US, Russia and Europe. The group uses ShellClient, a newly discovered remote access trojan (RAT), to conduct highly targeted cyberattacks. ShellClient uses Dropbox, a popular cloud-based service, for command and control (C2) operations, replacing the group's previous C2 infrastructure.

Reference and Credit: Hive Pro - October 2021

Iranian APT is targeting Middle Eastern Aerospace and Telecommunications companies

Detected Targets

TypeDescriptionConfidence
SectorAerospace
Verified
SectorTelecommunication
Verified
RegionMiddle East Countries
Verified
RegionRussia
Verified
RegionUnited States
Verified
RegionEuropean Countries
Verified

Extracted IOCs

  • azure.ms-tech[.]us
  • 186ab2a5662c5e3994ee1cbfcf9e7842f1e41b1a4041c67f808914dfc8850706
  • 19e040305fb57592bb62b41c24e9b64162e1e082230a356a304a3193743b102d
  • 21cc9c0ae5f97b66d69f1ff99a4fed264551edfe0a5ce8d5449942bf8f0aefb2
  • 49c41771e8e348b30de43d1112221c71a6497794b541fead7f3b2eab706afba3
  • 5d5ff74906d2666be0fbfe420c5d225684aa1cb516fffc32cfeee9e788e4b6e4
  • 6b7b6e973779c1a07891cc1fa7b3e4078a1308c4114296eb3ea429e08793efe0
  • a541afa0e73c3942b8c3645a3ba1ea59c4d6e1110e271be34fdb6a8c02a299e2
  • d7aa669de0f8a0cdb898cf33ac38ae65461de3c8c0c313c82ee8d48e408e4c4d
download

Tip: 9 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 8 file hash) to this threat have been found.

Overlaps

MalKamakMalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe

Source: Cybereason - October 2021

Detection (six cases): 186ab2a5662c5e3994ee1cbfcf9e7842f1e41b1a4041c67f808914dfc8850706, 21cc9c0ae5f97b66d69f1ff99a4fed264551edfe0a5ce8d5449942bf8f0aefb2, 49c41771e8e348b30de43d1112221c71a6497794b541fead7f3b2eab706afba3, 5d5ff74906d2666be0fbfe420c5d225684aa1cb516fffc32cfeee9e788e4b6e4, a541afa0e73c3942b8c3645a3ba1ea59c4d6e1110e271be34fdb6a8c02a299e2, azure.ms-tech[.]us

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MalKamak
View MalKamak's Insights