CyberWire Daily - An incident response reveals itself as GhostShell tool, ShellClient. [Research Saturday]
Episode Date: November 6, 2021Guest Mor Levi, Vice President of Cyber Practices from Cybereason, joins Dave Bittner to discuss her team's work on "Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms." In J...uly 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. To learn more, listen to the episode. The research can be found here: Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So it started initially as an incident response to one of our customers.
But when we started to unveil the various layers of the breach
and the attacker's techniques, we've stumbled upon the Ghost Shell.
That's Moore Levy. She's VP of Security Practices at Cyber Reason. The research we're discussing
today is titled Ghost Shell, Novel Rat Targets Global Aer aerospace and telecoms firms.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
That was the interesting part because this tool is a tool that we've never seen before.
And apparently the rest of the industry haven't seen it before because there
was no information about that tool online, anywhere online or in other sources that we're
looking at. So that definitely caught our attention. Well, take us through some of the
unique things about GhostShell. I mean, what exactly are we talking about here?
Sure. So first of all, just for clarity perspective, GhostChill is the name of the operation.
The tool itself is called ShellClient.
And there is a threat actor behind that, that this is a threat actor that we've revealed
and exposed to the world that is called Malkamak.
So just for a terminology perspective, so we'll know how we're referencing things.
So if you're asking specifically about the tool itself, what is unique and what is special,
we've seen some techniques that are pretty rare, first of all, from the tool perspective.
So one of the significant techniques that are leveraged by this tool is that the command and control operation
is leveraged through Dropbox. So the tool itself, unlike traditional or more common
remote access Trojans that leverages command and control systems, they usually leverage either a direct command, like interactive command, through
HTTP or HTTPS or DNS or various other protocols.
But in this case, we saw that the threat actor leveraged Dropbox, which basically they had
in Dropbox files that contain the commands.
And then the shell client would access this Dropbox and download those
files with the commands and then run it on the host. So the operator could just put on the Dropbox
folder the commands that they need or they want the tool to run, then the tool would do that once a day or so.
Now, how do you suppose that the Shell client was getting onto people's systems?
So it could be through one of many infiltration vectors. To be honest, the access point to networks will, in most cases, will be one of the following,
will in most cases will be one of the following, either through a misconfigured internet facing asset or through a vulnerable internet facing asset or through a phishing email that someone
clicked on or even through previous breach that attackers just left behind something and no one cleaned it up. So usually the infiltration
to networks is through one of those vectors. Our particular case, this was through a misconfiguration.
Can you take us through some of the things that make Shell Client unique,
some of the ways that it's organized and its capabilities?
Sure. So I think from a capability perspective,
at the end of the day, remote access Trojans, all of them has a very specific purpose in life,
right? To enable the threat actors to have direct access into the organizational network
and to allow them to run reconnaissance commands, to collect data on their targets,
and obviously to collect any relevant information.
The interesting thing with Shell Client as a tool, and specifically this campaign,
this Ghost Shell campaign, is the very targeted nature of that campaign.
Because there are many remote access Trojans out there,
what is called in the black market that threat actors can use. But this one has a very unique
fingerprinting and is highly customized to fit the goals of this campaign, of this Ghost Chill
campaign and its targets, right? So I think the sum of this operation is the uniqueness of all of those different factors
that eventually led us to the conclusion that we found a threat actor, a group that wasn't
known previously to that.
Are there any elements from a technical point of view that are particularly interesting?
Do you consider the
way that this was coded? Are there any clever elements there? I think that the most unique
aspect here is the Dropbox management, the command and control infrastructure, because it's not only
used for providing the commands for the shell client to run, it also used as the exfiltration vector.
The threat actors were eventually uploading the data
that they were collecting to those Dropbox accounts.
So it was multi-purpose.
And at the end of the day, this is a very common tool to use Dropbox.
Many organizations use that.
It's a legitimate tool.
So from the attacker's perspective, it's hiding in plain sight while leveraging the favorite cloud security storage tool.
Everyone can use, and it's very difficult to identify any malicious activity done.
And how about persistence?
I mean, how are they maintaining their place on the
victim's systems? So once the shell client is created on the machine, it actually creates
several services that are executed either automatically or ad hoc by the threat actor. And those services on the surface might look legitimate,
but actually looking into the name and description
and when starting to inspect the actual names of those services,
you realize that those are not legitimate services.
So the service that Shell Client is creating
is called Network Post Detection Service,
which is a very vague name and can be sound legitimate. Yeah, absolutely. Now, in terms of
its capabilities, what sort of things can it do? What sort of commands does it have under its
control? So the Shell Client can do various types of commands from querying the host
name, for example, check which type of version of shell client is actually running. It's able to
extract the IP address of the machine or actually to ping an external IP services to fetch the
external IP address of the machine it's currently running on.
It can install other things. It can open command shell, PowerShell. It can create TCP clients,
FTP clients. So it has very robust capabilities when it comes to enabling the threat actor to run various operations.
And it even has some commands that enable it to run lateral movement using WMI.
Now, one of the interesting aspects of your research here is that you explored
how old a version of this is, trying to determine how far back this goes.
Can you take us through that part of your exploration?
Sure. So as I mentioned, and you also asked about the uniqueness of this tool.
So when we are performing those types of incidents and we're performing the research
during the incident and after the incident, we're trying to track any other similar variants or
tools that we can correlate with what we're seeing. And when we started to investigate that,
as I mentioned, there wasn't a lot of knowledge and information about that tool. So we were able
to find only seven other samples that has similar characteristics to the shell client.
And those samples allow us to backtrack the earliest version to 2018. And by the way,
ever since we've published the research, we've seen some spike of uploads of similar samples
to VirusTotal, for example. Again, not that significant.
Even in other APT campaigns that we've investigated,
there were hundreds of samples that we could leverage
and investigate and correlate.
And in this case, it was really handful.
And this really attests to the surgical
and very targeted operation this was.
And who are they targeting? Who does it seem like they're going after here?
So from our analysis, and obviously, as you understand, it's very limited view because
there are so few samples and infrastructure out there that we can access. What we were able to gather is that the target of that threat actor is telcos and
aerospace companies. And the ones that we were able to identify were companies in the Middle
East, in Russia, and in the US. So it's a very specific set of companies and very specific
set of countries.
Well, let's move on then to attribution. Do you have any sense for who might be behind this?
Yes. So we've figured that the threat actor that is behind that is an Iranian threat actor,
but it's not one of the famous two threat actors. One of them is is apt39 and the other one it's agrius apt so we weren't able
to correlate completely like to have a distinct connections to apt39 or agrius and we are using
a threat intel model that is called the diamond model that is looking into the adversary,
their infrastructure, their capabilities, and their victims. And based on that, we thought
that the responsible thing to do, if we cannot find a good correlation on those four factors,
this is probably a new threat actor. And that's why we've dubbed the name of the threat actor as Mal Kamak, which is
malicious Kamak, which Kamak is, I think, Persian mythology character. So that's the backstory to
the name. So in terms of organizations protecting themselves against this, what are your
recommendations? So first of all, one of the capabilities that we saw around the tool itself, the Shell client,
is that it has a pretty sophisticated antivirus obfuscation and bypass techniques.
So having visibility, that is super important because this is a more sophisticated type of tool
based on what I just shared with you. It's also important
as an organization to understand what is the threat profile and the threat landscape to the
organization. As I mentioned, this is a very targeted type of campaign. So obviously, if you're
not in the aerospace or telco, the risk is lower for you to be targeted by that threat
actor. But it's really important to understand what is the business and then to create a threat
profile to your organization. And from that, to draw the relevant threat actors and groups that
might be targeting you. And this is obviously in addition to all of the various e-crime
and commodity malware that is out there
that is not less destructive
or damaging than those types of operations.
Since you published this research,
has anyone else reached out to you?
Have you heard from any other organizations,
researchers out there who may be
on the path of this particular threat actor themselves?
Yeah, we heard from various groups, including some of the law enforcements and agencies that
are also tracking similar threat actors. And we are comparing notes to see if there's anything
that might suggest that it's the same threat actor.
And as I mentioned also since publishing that,
we saw there was an uptick of uploads to VirusTotal
of similar samples like this one.
Our thanks to more Levy from Cyber Reason for joining us.
The research is titled Operation Ghost Shell.
Novel rat targets global aerospace and telecoms firms.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is... Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.