Iranian Hackers Attack Dropbox

Uploaded on 2021-10-18 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW, TECHNOLOGY--Hackers

Security researchers have discovered a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East. These attacks seem to have the purpose of stealing sensitive information about critical assets, organisations’ infrastructure and technology while remaining in the dark and successfully evading security solutions.

A group of hackers believed to be based in Iran is targeting organisations also in the US and elsewhere with a campaign that uses cloud storage service Dropbox. The group's main malware tool is a remote access Trojan (RAT) called ShellClient that has been in development and likely active use since 2018, as different versions with functionality improvements have been identified. 

The leading US cyber security company Cybereason has investigated  the attacks which they call  "Operation Ghostshell," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. 

The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," Cybereason researchers reported.

Cybereason traced the roots of this threat back to November 6, 2018, previously operating as a standalone reverse shell before evolving to a sophisticated backdoor, highlighting that the malware has been under continuous development with new features and capabilities added by its authors. 

What's more, the adversary behind the attacks is also said to have deployed an unknown executable named "lsa.exe" to perform credential dumping. Investigation into the attribution of the cyber attacks has also yielded an entirely new Iranian threat actor named MalKamak that has been operating since around the same time period and has eluded discovery and analysis thus far. 

These hackers have possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT and Agrius APT. Indeed, Agrius APT was found posing as a ransomware operation in an effort to conceal the origin of a series of data-wiping hacks against Israeli targets.

The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands. "Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution," the researchers said.

Cybereason:     Bloomberg:     The Hacker News:     TechTarget:        Information Security Buzz

CSO Online:      Haktechs:        CyberSocialHub:

You Might Also Read:

Iranian Government Hackers Spy On Dissidents:

« British Police IT Systems Cannot Cope With Cyber Crime
US Proposes Legislation To Control AI »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Teradata

Teradata

Teradata is a leading provider of enterprise big data analytics and services. Applications include Cyber Security Analytics.

techUK

techUK

techUK represents companies operating in the tech sector in the UK. Focus areas cover all aspects of ICT including cyber security.

Infowhiz solutions

Infowhiz solutions

Infowhiz provides solutions for backup/disaster recovery and network security.

Hunters.AI

Hunters.AI

Hunters is the world's first autonomous hunting solution that leverages top-tier cyber expertise and AI to uncover hidden cyber threats.

Corelight

Corelight

Corelight is the most powerful network visibility solution for information security professionals.

Slovenska Akreditacija (SA)

Slovenska Akreditacija (SA)

Slovenska Akreditacija is the national accreditation body for Slovenia. The directory of members provides details of organisations offering certification services for ISO 27001.

ReFirm Labs

ReFirm Labs

ReFirm Labs provides the tools you need for firmware security, vetting, analysis and continuous IoT security monitoring.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Ergo

Ergo

Ergo is a world-class IT Partner of choice, leveraging the latest technology available in cloud, mobility, big data, analytics, and social media.

AwareGO

AwareGO

AwareGO is a global provider of security awareness training content and solutions that help enterprises improve cybersecurity awareness in the workplace.

Zephyr Project

Zephyr Project

The Zephyr Project strives to deliver the best-in-class RTOS for connected resource-constrained devices, built to be secure and safe.

Advantio

Advantio

Advantio offers a unique combination of technologies and managed, advisory and testing services to increase your cyber resilience and compliance.

RedHunt Labs

RedHunt Labs

RedHunt Labs is a premier Cybersecurity Solutions provider, offering Attack Surface Management solution 'NVADR' and Penetration Testing services.

In-Q-Tel (IQT)

In-Q-Tel (IQT)

IQT is the non-profit strategic investor that accelerates the development and delivery of cutting-edge technologies to U.S. government agencies that keep our nation safe.

TOTM Technologies

TOTM Technologies

TOTM Technologies provides end-to-end identity management and biometrics products, powering Digital identity and Digital onboarding solutions.

SFY Information Technology

SFY Information Technology

SFY helps companies with Cyber Security and Managed IT, allowing them to focus on what really matters to them.