Iranian Hackers Attack Dropbox

Uploaded on 2021-10-18 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW, TECHNOLOGY--Hackers

Security researchers have discovered a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East. These attacks seem to have the purpose of stealing sensitive information about critical assets, organisations’ infrastructure and technology while remaining in the dark and successfully evading security solutions.

A group of hackers believed to be based in Iran is targeting organisations also in the US and elsewhere with a campaign that uses cloud storage service Dropbox. The group's main malware tool is a remote access Trojan (RAT) called ShellClient that has been in development and likely active use since 2018, as different versions with functionality improvements have been identified. 

The leading US cyber security company Cybereason has investigated  the attacks which they call  "Operation Ghostshell," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. 

The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," Cybereason researchers reported.

Cybereason traced the roots of this threat back to November 6, 2018, previously operating as a standalone reverse shell before evolving to a sophisticated backdoor, highlighting that the malware has been under continuous development with new features and capabilities added by its authors. 

What's more, the adversary behind the attacks is also said to have deployed an unknown executable named "lsa.exe" to perform credential dumping. Investigation into the attribution of the cyber attacks has also yielded an entirely new Iranian threat actor named MalKamak that has been operating since around the same time period and has eluded discovery and analysis thus far. 

These hackers have possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT and Agrius APT. Indeed, Agrius APT was found posing as a ransomware operation in an effort to conceal the origin of a series of data-wiping hacks against Israeli targets.

The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands. "Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution," the researchers said.

Cybereason:     Bloomberg:     The Hacker News:     TechTarget:        Information Security Buzz

CSO Online:      Haktechs:        CyberSocialHub:

You Might Also Read:

Iranian Government Hackers Spy On Dissidents:

« British Police IT Systems Cannot Cope With Cyber Crime
US Proposes Legislation To Control AI »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSR Privacy Solutions

CSR Privacy Solutions

CSR Privacy Solutions is a leading provider of privacy regulatory compliance programs for small and medium sized businesses.

CERT-MU

CERT-MU

CERT-MU is the Mauritian National Computer Security Incident Response Team.

Cybraics

Cybraics

Cybraics nLighten platform implements a unique and sophisticated artificial intelligence engine that rapidly learns your environment and alerts security teams to threats and vulnerabilities.

Saviynt

Saviynt

Saviynt is a leading provider of Cloud Security and Identity Governance solutions.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

Recruit.net

Recruit.net

Recruit.net allows job seekers to instantly find millions of jobs from thousands of web sites with a single search.

Swarmnetics

Swarmnetics

Swarmnetics helps customers discover hard-to-find software vulnerabilities by hacking your system before the bad guys do.

Avertium

Avertium

Avertium is the managed security and consulting provider that companies turn to when they want more than check-the-box cybersecurity.

Greenberg Traurig (GT)

Greenberg Traurig (GT)

Greenberg Traurig, LLP (GT) is a global law firm with offices in 40 locations in the United States, Latin America, Europe, Asia, and the Middle East.

Hunter Strategy

Hunter Strategy

Hunter Strategy focuses on delivering solutions that are concise, scalable, and target our customer’s complex technical challenges.

FirstWave Cloud Technology

FirstWave Cloud Technology

FirstWave Cloud Technology is a global cyber security company which has been delivering Cybersecurity-as-a-service solutions to the market since 2004.

Mobileum

Mobileum

Mobileum is a leading provider of Telecom analytics for roaming, security and risk management and end-to-end domestic and roaming testing solutions.

Ermes

Ermes

Ermes – Intelligent Web Protection provides companies with a solution that effectively secures them against web threats.

Vector Choice Technologies

Vector Choice Technologies

Vector Choice Technology Solutions has a long standing reputation in cyber security consulting since 2008.

MIS Solutions

MIS Solutions

MIS Solutions is a managed cloud and IT security partner making technology work for you.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.