fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Use Stealthy ShellClient Malware On Aerospace, Telco Firms

Hackers Use Stealthy ShellClient Malware On Aerospace, Telco Firms

Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018.

Dubbed ShellClient, the malware is a previously undocumented remote access trojan (RAT) built with a focus on being stealthy and for “highly targeted cyber espionage operations.”

Researchers attributed ShellClient to MalKamak, a previously undisclosed threat actor that used it for reconnaissance operations and for stealing sensitive data from targets in the Middle East, the U.S., Russia, and Europe.

Also Read: PDP Act (Personal Data Protection Act) Laws and Regulation

Stealthy RAT, active since 2018

The ShellClient RAT appeared on the radar of threat researchers in July during an incident response engagement that revealed cyber espionage activity now referred to as Operation GhostShell.

Cybereason Nocturnus and Incident Response Teams analyzed the malware and observed that it ran on infected machines disguised as “RuntimeBroker.exe,” a legitimate process that helps with permission management for apps from Microsoft Store.

The ShellClient variant used for Operation GhostShell shows a compilation date of May 22, 2021, and is referred to as version 4.0.1.

ShellClient evolution since 2018

The researchers found that its evolution started since at least November 2018 “from a simple standalone reverse shell to a stealthy modular espionage tool.”

With each of the six iterations discovered, the malware increased its functionality and switched between several protocols and methods for data exfiltration (e.g. an FTP client, Dropbox account):

  • Earliest variant, compiled in November 2018 – less sophisticated, acting as a simple reverse shell
  • Variant V1, compiled in November 2018 – has functions of both client and server, adds new service persistence method concealed as a Windows Defender update service
  • Variant V2.1, compiled in December 2018 – adds FTP and Telnet clients, AES encryption, self-update function
  • Variant V3.1, compiled in January 2019 – minor modifications, removes the server component
  • Variant V4.0.0, compiled in August 2021 – marks significant changes, like better code obfuscation and protection via Costura packer, dropping the C2 domain used since 2018, and adding a Dropbox client

New APT adversary

In its investigation, Cybereason looked for details that would link ShellClient to a known adversary but concluded that the malware is operated by a new nation-state group they named MalKamak, which is likely connected to Iranian hackers, as indicated by code style overlap, naming conventions, and techniques.

Also Read: What Does Resolution Of Data Really Means

“While some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors” – Cybereason

The researchers say that MalKamak focuses on highly targeted cyber espionage operations, a theory supported by the low number of samples discovered in the wild or telemetry data since 2018.

Furthermore, the path for debugging files available in some ShellClients samples suggests that the malware is part of a confidential project from a military or intelligence agency.

Cybereason created a brief summary of how MalKamak runs, its capabilities, infrastructure, and the types of victims it is interested in.

MalKamak threat actor

Cybereason makes available a set of indicators of compromise for all versions and samples of ShellClient they uncovered, command and control servers, user agents, encryption keys, and related files.

In a separate technical document, the researchers provide full analysis of all the variants they found during incident response engagements.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us