Dropbox Commands features used by Iranian Hackers to Compromise Industry Systems

Various reports have revealed a massive cyber-espionage attack that targets companies in the aerospace and telecommunications sector. The report shows that the companies most affected are based in the Middle East, with the goal of these attackers being to steal sensitive details about various assets. The hackers also steal information pertaining to infrastructure and technology.

This cyber-espionage campaign managed to stay undetected because it steals the needed details while evading any security frameworks set in place. This has given it access to a broad range of networks.  

Cybereason, a cybersecurity company based in Boston, called these attacks an “Operation Ghostshell.” The company stated that the new software used in this campaign stems from another remote access trojan (RAT) dubbed ShellClient that went undocumented and is known for its stealth attack mode. This RAT is usually deployed as the main spy tool of choice by threat actors.

The first sign of these attacks on the aerospace and telecom firms was detected in July this year after several victims came forward to highlight a highly targeted attack. Researchers into this attack stated that “the ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.”

The research stated that this cyber-espionage attack dates back to around November 6, 2018. It stated that before changing to its current mode of operation, the tool was used to function as a standalone reverse shell before it changed to become a sophisticated backdoor used by these attackers . The research also stated that this tool was under regular development where additional features and functionalities were regularly integrated by its creators.

In addition, the developers of this tool also added an extra “Isa.exe” executable used to perform credential dumping. This second functionality remains unknown.

Regarding the origin of this attack, it has been attributed to MalKamak, an Iranian threat actor. This threat actor has been operating since around the time when this tool was developed, and for the duration of time that he has been in operation, he has evaded discovery and analysis into his operations.

In addition, he has also been linked to threat actors sponsored by the Iranian government. He has been linked to actors such as Chafer APT and Agrius APT. In the case of Agrius APT, the threat actor is known to conduct ransomware operations targeted to hide the origin of these attacks, which have wiped away a wide range of data belonging to Israeli institutions.

The ShellClient tool is not only used to conduct reconnaissance and exfiltrate sensitive data but also developed to create a modular portable executable that can perform other operations such as fingerprinting and registry.

Another function of this RAT is that it can also execute commands on cloud storage services . In this case, it has been found to abuse the command-and-control (C2) communications of Dropbox . This allows the RAT to remain undetected by mimicking other genuine network traffic originating from the systems affected during the hack.

The Dropbox storage that is used to execute these attacks is made up of three folders. Each of these folders stores information regarding the infected machines, the commands the ShellClient RAT is supposed to execute and what will happen after these commands have been executed.

The researchers further noted that the victim machine would check the commands folder regularly, which is in every two seconds, and retrieve the files that are made up of commands, parses their content, and this content is later deleted from the remote folder. Afterwards, these commands are enabled for execution and the victim’s device is compromised.

The mode of operation used by this RAT is similar to the operations used by another threat actor known as IndigoZebra. The tactics used by this threat actor were discovered to depend on the Dropbox API to store the relevant commands. These commands are stored in a sub-folder that is specific to a victim. These commands are later retrieved by the hackers and used to conduct the attacks.

These findings also come at a time when cyber espionage attacks ate on the rose. Before this discovery, there was yet another tool dubbed as ‘ChamelGang’ that was also discovered. This tool is believed to be behind the attacks on various aviation, energy, and fuel industries. Most of these espionage attacks have been targeted on countries such as India, Nepal, Japan, Taiwan and the US. These attacks are targeted at stealing data from compromised networks.