ShellClient RAT

Overview

Security researchers recently unveiled a long-standing campaign that was being carried out by a new Iranian threat actor known as MalKamak. The campaign, dubbed Operation Ghostshell, leveraged a previously unknown remote access trojan (RAT) called ShellClient with the end goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology.

A key part of how ShellClient can avoid detection by traditional security solutions is that it uses legitimate cloud services, such as Dropbox, for command-and-control (C2) communications. In doing so, the attacker can blend in with normal web traffic moving in and out of the targeted organization’s infrastructure. Within Dropbox, the attacker stores three folders that contain information about the infected machines, what commands are to be executed by the RAT itself, and the results of these commands.

‍

Lookout Analysis

SaaS apps and cloud services are common attack targets with huge risk surfaces. Not only is the cloud a target, but it’s also leveraged by attackers as a threat vector used to carry out reconnaissance and exfiltrate sensitive data as exemplified by this campaign. Since using legitimate cloud services as a C2 host enables attackers to fly under the radar, there’s been significant growth in this tactic.

This incident exemplifies why most cloud exposures and leaks are due to misuse of the cloud services, user errors, and poor governance on the customer side. As people access these services from more places, there also needs to be a way to ensure that mobile users and devices are included in the dynamic access and data handling policies in place. Doing so enables you to continuously monitor all traffic to your cloud and apply user behavior analytics to identify malicious activities.