Security researchers searching malware utilized to target companies in the aerospace and telecommunications sectors that founded a new threat actor that has been running a cyberespionage campaign since at least 2018. Also known as ShellClient, the malware is a previously undocumented remote access Trojan (RAT) built with a focus on being secretive and for “highly targeted cyber espionage operations.”

Investigators attribute ShellClient to MalKamak, an already hidden threat actor that utilized it for exploration operations and for hijacking sensitive data from targets in the Middle East, the U.S., Russia, and Europe.

Secretive RAT, Active Since 2018

The ShellClient RAT comes on the radar of threat researchers in July during an incident response engagement that revealed cyber espionage activity referred to as Operation GhostShell. Cybereason Nocturnus and Incident Response Teams examined the Malware and observed that it ran on the affected machines disguised as “RuntimeBroker.exe,” an appropriate process that helps with the permissions management for applications from Microsoft Store.

The ShellClient variant utilized for Operation GhostShell shows a collection date of May 22, 2021, and is referred to as version 4.0.1.

The researchers found that its growth began at least November 2018 “from a simple standalone reverse shell to a stealthy modular espionage tool.” With each of the six iterations discovered, the malware increased its functionality and switched between several protocols and methods for data exfiltration (e.g. an FTP client, Dropbox account):

• The earliest variant, compiled in November 2018 – less sophisticated, acting as a simple reverse shell
• Variant V1, compiled in November 2018 – has functions of both client and server, adds new service persistence method concealed as a Windows Defender update service
• Variant V2.1, compiled in December 2018 – adds FTP and Telnet clients, AES encryption, self-update function
• Variant V3.1, compiled in January 2019 – minor modifications, removes the server component

Variant V4.0.0, compiled in August 2021 – marks significant changes, like better code obfuscation and protection via Costura packer, dropping the C2 domain used since 2018, and adding a Dropbox client.

Advance APT adversary

In its investigation, Cybereason looked for details that would link ShellClient to a known adversary but concluded that the malware is operated by a new nation-state group they named MalKamak, which is likely connected to Iranian hackers, as indicated by code style overlap, naming conventions, and techniques.

“While some potential connections to known Iranian threat actors were recognized, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors” – Cybereason.

The researchers say that MalKamak focuses on highly targeted cyber espionage operations, a theory supported by the low number of samples discovered in the wild or telemetry data since 2018.

Moreover, the way for debugging records possible in some ShellClients samples suggests that the malware is part of a confidential project from a military or intelligence agency. In a separate technical document, the researchers provide a full analysis of all the variants they found during incident response engagements.