Iranian Hackers Attack Dropbox

Uploaded on 2021-10-18 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW, TECHNOLOGY--Hackers

Security researchers have discovered a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East. These attacks seem to have the purpose of stealing sensitive information about critical assets, organisations’ infrastructure and technology while remaining in the dark and successfully evading security solutions.

A group of hackers believed to be based in Iran is targeting organisations also in the US and elsewhere with a campaign that uses cloud storage service Dropbox. The group's main malware tool is a remote access Trojan (RAT) called ShellClient that has been in development and likely active use since 2018, as different versions with functionality improvements have been identified. 

The leading US cyber security company Cybereason has investigated  the attacks which they call  "Operation Ghostshell," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. 

The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," Cybereason researchers reported.

Cybereason traced the roots of this threat back to November 6, 2018, previously operating as a standalone reverse shell before evolving to a sophisticated backdoor, highlighting that the malware has been under continuous development with new features and capabilities added by its authors. 

What's more, the adversary behind the attacks is also said to have deployed an unknown executable named "lsa.exe" to perform credential dumping. Investigation into the attribution of the cyber attacks has also yielded an entirely new Iranian threat actor named MalKamak that has been operating since around the same time period and has eluded discovery and analysis thus far. 

These hackers have possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT and Agrius APT. Indeed, Agrius APT was found posing as a ransomware operation in an effort to conceal the origin of a series of data-wiping hacks against Israeli targets.

The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands. "Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution," the researchers said.

Cybereason:     Bloomberg:     The Hacker News:     TechTarget:        Information Security Buzz

CSO Online:      Haktechs:        CyberSocialHub:

You Might Also Read:

Iranian Government Hackers Spy On Dissidents:

« British Police IT Systems Cannot Cope With Cyber Crime
US Proposes Legislation To Control AI »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Surrey Centre for Cyber Security (SCCS)

Surrey Centre for Cyber Security (SCCS)

The Centre focuses on three main research directions - Privacy and Data Protection, Secure Communications, and Human-Centred Security.

Australian Signals Directorate (ASD)

Australian Signals Directorate (ASD)

The Australian Signals Directorate is an intelligence agency in the Australian Government Department of Defence.

Red Balloon Security (RBS)

Red Balloon Security (RBS)

Red Balloon Security is a leading embedded device security company, delivering deep host-based defense for all devices.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Gita Technologies

Gita Technologies

Gita Technologies works to create integrated solutions to the thorniest problems in the field of intelligence and cyber today.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

Avertium

Avertium

Avertium is the managed security and consulting provider that companies turn to when they want more than check-the-box cybersecurity.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

Saepio Solutions

Saepio Solutions

Saepio promote an all-encompassing approach to cybersecurity, ensuring the appropriate balance of budget and resource across Policy, Product and People.

Computer Services Inc (CSI)

Computer Services Inc (CSI)

CSI is a leading fintech, regtech and cybersecurity solutions partner operating at the intersection of innovation and service.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Mindflow

Mindflow

Mindflow is dedicated to bringing answers to the challenges the cybersecurity field and beyond face today.

VAST Data

VAST Data

The VAST Data Platform delivers scalable performance, radically simple data management and enhanced productivity for the AI-powered world.

DataKrypto

DataKrypto

DataKrypto’s advanced data encryption solutions protect data throughout its lifecycle.

Maltiverse

Maltiverse

Maltiverse is a threat intelligence platform that provides security teams with high-fidelity threat data and malicious IOCs to enhance detection and response.

AXGATE

AXGATE

AXGATE is a specialized security solutions company based on our distinctive technological capabilities in the field of network information protection.