Research Saturday 11.6.21
Ep 208 | 11.6.21

An incident response reveals itself as GhostShell tool, ShellClient.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Mor Levi: So, it started initially as an incident response to one of our customers, but when we started to unveil the various layers of the breach and the attackers' techniques, we've stumbled upon the GhostShell.

Dave Bittner: That's Mor Levi. She's VP of Security Practices at Cybereason. The research we're discussing today is titled, "Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms.

Mor Levi: That was the interesting part, because this tool is a tool that we've never seen before. And apparently the rest of the industry haven't seen it before, because there was no information about that tool online, anywhere online or in other sources that we're looking at. So that definitely caught our attention.

Dave Bittner: Well, take us through some of the unique things about GhostShell. I mean, what exactly are we talking about here?

Mor Levi: Sure. So first of all, just for clarity's perspective, GhostShell is the name of the operation. The tool itself is called "ShellClient," and there is a threat actor behind that – this is a threat actor that we've revealed and exposed to the world that is called "MalKamak." So, just for terminology perspective, so we'll know how we're referencing things.

Mor Levi: So, if you're asking specifically about the tool itself, what is unique and what is special, we've seen some techniques that are pretty rare, first of all, from the tool perspective. So, one of the significant techniques that are leveraged by this tool is that the command-and-control operation is leveraged through Dropbox. So the tool itself, unlike traditional or more common remote access Trojans that leverages command-and-control systems – they usually leverage either direct command, like interactive command through HTTP or HTTPS or DNS or various other protocols. But in this case, we saw that the threat actor leverage Dropbox, which basically they had in Dropbox files that contain the commands, and then the ShellClient would access this Dropbox and download those files with the commands and then run it on the host. So the operator could just put on the Dropbox folder the commands that they need or they want the tool to run, then the tool would do that once a day or so.

Dave Bittner: Now, how do you suppose that the ShellClient was getting onto people's systems

Mor Levi: So, it could be through one of many infiltration vectors, to be honest. The access point to networks will, in most cases, be one of the following: either through a misconfigured internet facing asset – through a vulnerable internet facing asset or through a phishing email, you know, that someone clicked on, or even through a previous breach that attackers just left behind something and no one cleaned it up. So usually the infiltration to networks is through one of those vectors. Our particular case, this was through a misconfiguration.

Dave Bittner: Can you take us through some of the things that make ShellClient unique? Some of the ways that it's organized and its capabilities?

Mor Levi: Sure. So, I think from a capability perspective, at the end of the day, remote access Trojans, all of them have a very specific purpose in life, to enable the threat actors to have direct access into the organizational network and to allow them to run reconnaissance commands to collect data on their targets, and obviously to collect any relevant information. The interesting thing with ShellClient as a tool and specifically this campaign, this GhostShell campaign, is the very targeted nature of that campaign, because there are many remote access Trojans out there in what is called in the "black market" that threat actors can use. But this one has a very unique fingerprinting and is highly customized to fit the goals of this campaign, of this GhostShell campaign and its targets. So I think the sum of this operation is the uniqueness of all of those different factors that eventually led us to the conclusion that we found a threat actor, a group that wasn't known previously to that.

Dave Bittner: Are there any elements from a technical point of view that are particularly interesting? Do you consider the way that this was coded – are there any clever elements there?

Mor Levi: I think the most unique aspect here is the Dropbox management – the command-and-control infrastructure – because it's not only used for providing the commands for the shell Client to run, it's also used as the exfiltration vector. The threat actors were eventually uploading the data that they were collecting to those Dropbox accounts. So it was multipurpose, and at the end of the day, this is a very common tool to use, Dropbox. Many organizations use that. It's a legitimate tool. So from the attacker's perspective, it's hiding in plain sight while leveraging the favorite, you know, cloud security storage tool everyone can use, and it's very difficult to identify any malicious activity done.

Dave Bittner: And how about persistence? I mean, how how are they maintaining their place on the victims' systems?

Mor Levi: So, once the ShellClient is created on the machine, it actually creates several services that are executed that either automatically or ad hoc by the threat actor. And those services on the surface might look legitimate, but actually looking into the name and description and when starting to inspect the actual names of those services, you realize that those are not legitimate services. So the service that the ShellClient is creating is called "Network Post Detection Service," which is a very vague name and can sound legitimate.

Dave Bittner: Yeah, absolutely. Now, in terms of its capabilities, what sort of things can it do? What sort of commands does it have under its control?

Mor Levi: So the ShellClient can do various types of commands from, you know, querying the host name, for example, check which type of version of ShellClient is actually running. It's able to extract the IP address of the machine or actually to ping an external IP services to fetch the external IP address of the machine it's currently running on. It can install other things, it can open command shell, PowerShell. It can create TCP clients, FTP clients. So it has very robust capabilities when it comes to enabling the threat actor to run various operations, and it even has some commands that enables it to run lateral movement using WMI.

Dave Bittner: Now, one of the interesting aspects of your research here is that you explored if this was – or, how old a version of this is, trying to determine how far back this goes. Can you take us through that part of your exploration?

Mor Levi: Sure. So, as I mentioned – and you also asked about the uniqueness of this tool – so, when we are performing those types of incidents and performing the research during the incident and after the incident, we're trying to track any other similar variants or tools that we can correlate with what we're seeing. And when we started to investigate that, as I mentioned, there wasn't a lot of knowledge and information about that tool, so we were able to find only seven other samples that have similar characteristics to the ShellClient, and those samples allow us to backtrack the earliest version to 2018. And by the way, ever since we've published the research, we've seen some spike of uploads of similar samples to VirusTotal, for example. Again, not that significant. Even in other APT campaigns that we've investigated, there were hundreds of samples that we could leverage and investigate and correlate. And in this case, it was really tactical, and this really attests to the surgical and very targeted operation this was.

Dave Bittner: And who are they targeting? Who does it seem like they're going after here?

Mor Levi: So, from our analysis, and obviously, as you understand, it's a very limited view because there are so few samples and infrastructure out there that we can access. What we were able to gather is that the target of the threat actor is telcos and aerospace companies. And the ones that we were able to identify were companies in the Middle East, in Russia, and in the US. So it's a very specific set of companies and in a very specific set of countries.

Dave Bittner: Well, let's move on then to attribution. Do you have any sense for who might be behind this?

Mor Levi: Yes. So, we've figured that the threat actor that is behind that is an Iranian threat actor, but it's not one of the famous two threat actors. One of them is APT39 and the other one is Agrius APT. So we weren't able to correlate completely, like, to have a distinct connection to APT39 or Agrius. And we are using a threat intel model that is called the diamond model, that is looking into the adversary, their infrastructure, their capabilities, and their victims. And based on that, we thought that the responsible thing to do if we cannot find a good correlation on those four factors, this is probably a new threat actor, and that's why we've dubbed the name of the threat actor as "MalKamak," which is "malicious Kamak," which, Kamak is, I think, Persian mythology character. So that's the backstory to the name.

Dave Bittner: So, in terms of organizations protecting themselves against this, what are your recommendations?

Mor Levi: So, first of all, one of the capabilities that we saw around the tool itself, the ShellClient, is that it has a pretty sophisticated antivirus obfuscation and bypass techniques. So having visibility – that is super important, because this is a more sophisticated type of tool based on what I just shared with you. It's also important as an organization to understand what is the threat profile and the threat landscape to the organization. As I mentioned, this is a very targeted type of campaign. So obviously, if you're not in the aerospace or telco, the risk is lower for you to be targeted by that threat actor. But it's really important to understand what is the business and then to create a threat profile to your organization, and from that to draw the relevant threat actors and groups that might be targeting you. And this is obviously in addition to all of the various e-crime and commodity malware that is out there that is not less destructive or damaging than than those types of operations.

Dave Bittner: Since you published this research, has anyone else reached out to you? Have you heard from any other organizations, researchers out there who may be on the path of this particular threat actor themselves?

Mor Levi: Yeah, we heard from various groups, including some of the law enforcement and agencies that are also tracking similar threat actors, and we are comparing notes to see if there is anything that might suggest that it's the same threat actor. And as I mentioned also, since publishing that, we saw there was an uptick of uploads to VirusTotal of similar samples like this one.

Dave Bittner: Our thanks to Mor Levi from Cybereason for joining us. The research is titled, "Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tré Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.