Iranian Hackers Attack Dropbox

Security researchers have discovered a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East. These attacks seem to have the purpose of stealing sensitive information about critical assets, organisations’ infrastructure and technology while remaining in the dark and successfully evading security solutions.

A group of hackers believed to be based in Iran is targeting organisations also in the US and elsewhere with a campaign that uses cloud storage service Dropbox. The group's main malware tool is a remote access Trojan (RAT) called ShellClient that has been in development and likely active use since 2018, as different versions with functionality improvements have been identified. 

The leading US cyber security company Cybereason has investigated  the attacks which they call  "Operation Ghostshell," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. 

The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," Cybereason researchers reported.

Cybereason traced the roots of this threat back to November 6, 2018, previously operating as a standalone reverse shell before evolving to a sophisticated backdoor, highlighting that the malware has been under continuous development with new features and capabilities added by its authors. 

What's more, the adversary behind the attacks is also said to have deployed an unknown executable named "lsa.exe" to perform credential dumping. Investigation into the attribution of the cyber attacks has also yielded an entirely new Iranian threat actor named MalKamak that has been operating since around the same time period and has eluded discovery and analysis thus far. 

These hackers have possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT and Agrius APT. Indeed, Agrius APT was found posing as a ransomware operation in an effort to conceal the origin of a series of data-wiping hacks against Israeli targets.

The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands. "Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution," the researchers said.

Cybereason:     Bloomberg:     The Hacker News:     TechTarget:        Information Security Buzz

CSO Online:      Haktechs:        CyberSocialHub:

You Might Also Read:

Iranian Government Hackers Spy On Dissidents:

« British Police IT Systems Cannot Cope With Cyber Crime
US Proposes Legislation To Control AI »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

Learn about the top cloud security trends in 2024 and beyond, along with solutions and controls you can implement as part of your security strategy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Dome9

Dome9

Dome9 is a cloud firewall management service that stops vulnerabilities, secures remote access, and centralizes policy management.

Research Institute in Science of Cyber Security (RISCS)

Research Institute in Science of Cyber Security (RISCS)

RISCS is focused on giving organisations more evidence, to allow them to make better decisions, aiding to the development of cybersecurity as a science.

Infrascale

Infrascale

Infrascale specialise in providing cloud backup and disaster recovery services.

HID Global

HID Global

HID Global is a trusted leader in products, services and solutions related to the creation, management, and use of secure identities.

Oppida

Oppida

Oppida provides tailored IT security services to help you identify security gaps and assist in finding the most effective remediation.

AFCERT

AFCERT

AFCERT is the national Computer Emergency Response Team for Afghanistan.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

A-LIGN

A-LIGN

A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,500 global organizations to mitigate cybersecurity risks.

DFI

DFI

DFI is a global leading provider of high-performance computing technology across multiple embedded industries.

Elron Ventures

Elron Ventures

Elron partner with early stage ventures to build companies that transform lives and industries. Our main areas of focus are enterprise software, cybersecurity, and healthcare.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

FortifyIQ

FortifyIQ

FortifyIQ's mission is to advance maximum security against side-channel attacks across the entire computing spectrum.

HolistiCyber

HolistiCyber

HolistiCyber provide state-of-the art consulting, services, and solutions to help proactively and holistically defend against a new era of constantly evolving cyber threats.

Harbottle & Lewis

Harbottle & Lewis

Harbottle & Lewis is a leading UK-based law firm focused on the Private Client and Technology, Media and Entertainment sectors.

Nukke

Nukke

Nukke offers advanced cybersecurity software and tailored solutions for your business.

Keepit

Keepit

Keepit offer all-inclusive, secure, and reliable backup and recovery services for your data.