Iranian Hackers Attack Dropbox

Uploaded on 2021-10-18 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW, TECHNOLOGY--Hackers

Security researchers have discovered a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East. These attacks seem to have the purpose of stealing sensitive information about critical assets, organisations’ infrastructure and technology while remaining in the dark and successfully evading security solutions.

A group of hackers believed to be based in Iran is targeting organisations also in the US and elsewhere with a campaign that uses cloud storage service Dropbox. The group's main malware tool is a remote access Trojan (RAT) called ShellClient that has been in development and likely active use since 2018, as different versions with functionality improvements have been identified. 

The leading US cyber security company Cybereason has investigated  the attacks which they call  "Operation Ghostshell," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. 

The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," Cybereason researchers reported.

Cybereason traced the roots of this threat back to November 6, 2018, previously operating as a standalone reverse shell before evolving to a sophisticated backdoor, highlighting that the malware has been under continuous development with new features and capabilities added by its authors. 

What's more, the adversary behind the attacks is also said to have deployed an unknown executable named "lsa.exe" to perform credential dumping. Investigation into the attribution of the cyber attacks has also yielded an entirely new Iranian threat actor named MalKamak that has been operating since around the same time period and has eluded discovery and analysis thus far. 

These hackers have possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT and Agrius APT. Indeed, Agrius APT was found posing as a ransomware operation in an effort to conceal the origin of a series of data-wiping hacks against Israeli targets.

The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands. "Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution," the researchers said.

Cybereason:     Bloomberg:     The Hacker News:     TechTarget:        Information Security Buzz

CSO Online:      Haktechs:        CyberSocialHub:

You Might Also Read:

Iranian Government Hackers Spy On Dissidents:

« British Police IT Systems Cannot Cope With Cyber Crime
US Proposes Legislation To Control AI »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

National Association of Software and Services Companies (NASSCOM) - India

National Association of Software and Services Companies (NASSCOM) - India

NASSCOM is a trade association of Indian Information Technology and Business Process Outsourcing industry. Areas of activity include cyber security.

Virsec Systems

Virsec Systems

Virsec detects and remediates previously “indefensible” advanced memory-based attacks on critical applications and server endpoints.

Swiss CyberSecurity

Swiss CyberSecurity

Swiss CyberSecurity is a non-profit group based in Geneva, set up to provide information and as a forum for discussion of topics related to CyberSecurity.

Excellium Services

Excellium Services

Excellium’s Professional Services team combines expertise and experience that complements your in-house security resources.

Squalio

Squalio

Squalio is an information technology group that delivers solutions and services for secure and effective IT management.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

Camel Secure

Camel Secure

Camel Secure is a company specialized in the development of products for information security and technology risk management.

3i Infotech

3i Infotech

3i Infotech offers consulting & professional services to assess, design and build next gen IT infrastructure, and managed services to operate, optimize and continuously improve.

NI Cyber Security Centre

NI Cyber Security Centre

NI Cyber Security Centre works to make Northern Ireland cyber safe, secure and resilient for its citizens and businesses.

Coralogix

Coralogix

Coralogix are rebuilding the path to observability using a real-time streaming analytics pipeline that provides monitoring, visualization, and alerting capabilities without the burden of indexing.

Mitigate Cyber

Mitigate Cyber

Mitigate Cyber (formerly Xyone Cyber Security) offer a range of cyber security solutions, from threat mitigation to penetration testing, training & much more.

Sidcon International Consulting Company

Sidcon International Consulting Company

SIDCON International Consulting Company has been providing consulting services since 2002 for private and public organizations in Ukraine and other countries.

Lansafe

Lansafe

Lansafe stands as a leading managed service provider in the UK, seamlessly integrating IT, Telecoms, Security, Electrical and Cyber Security solutions.

Redcoat AI

Redcoat AI

Redcoat AI provide a comprehensive security platform that continuously evolves with the threats and opportunities presented by AI.

Razilio

Razilio

Razilio is a boutique cybersecurity consultancy located in Sydney, Australia and serving the world.

Badge

Badge

Badge authenticates you on-demand for every application, on any device, without storing any secrets.