A threat group based in Iran is using what researchers describe as "quite unique" tactics to evade detection.
In new research published Wednesday, security vendor Cybereason said the Iranian threat group, dubbed "MalKamak," has been operating in the wild undetected since 2018, thanks in large part to abusing Dropbox's cloud storage service. Targets included companies based in the U.S., Middle East, Russia and Europe, specifically in the telecoms and aerospace industries.
Cybereason noted that it is possible the MalKamak cyberespionage group is a subset of one of the larger Iran-backed advanced persistent threat (APT) operations, either Chafer APT (aka APT39) or Agrius APT.
"The intrusions analyzed by Cybereason suggest that the motivation is cyber espionage against a very small set of carefully selected targets," Cybereason researchers Assaf Dahan, Daniel Frank, Tom Fakterman and Chen Erlich wrote in the report. "This is supported by the fact that there are very few samples found in the telemetry or in-the-wild since 2018, in contrast to commodity malware that can usually be found in abundance."
The group's primary attack tool is a remote access trojan (RAT) dubbed "ShellClient." The tool covertly compromises systems and moves laterally around networks without being detected by antivirus software.
"The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect," the researchers said.
Among the more interesting tactics employed by the group is the use of the Dropbox file storage service as a command and control platform. By running checks every two seconds via the Dropbox API, the malware is able to receive commands and transfer files without being detected by network monitoring tools.
One feature of the campaign, dubbed "Operation GhostShell" by Cybereason, that stuck out to the research team was the way ShellClient receives its commands -- the malware downloads instructions from stored files rather than opening up a remote shell connection.
"The C2 communications this malware implements are quite unique, as they rely on 'cold files' being saved to a remote Dropbox, instead of a common interactive session," the report said. "This method of communication is an interesting Operational Security solution, making it difficult to trace the threat actor's infrastructure by utilizing a public service such as Dropbox."
While Cybereason has informed Dropbox of the RAT using its service, so far the company has yet to take action. Cybereason noted that even if this specific CC account were disabled, it would be trivial for the hackers to create a new account and leave the service playing whack-a-mole.
In addition to receiving commands over Dropbox, the RAT also employs specialized .exe files. One is dedicated to collecting credentials and memory contents, while the other is a version of WinRAR that compresses and uploads stolen data.
As with the group itself, the RAT package is believed to have been active and undetected as far back as 2018.
"One of the questions that came up during the investigations was regarding how far back use of the malware can be observed," the researchers said. "At first it was thought to have been developed recently since there was no publicly available documentation or any mention of it available. However, the code indicates that the sample we analyzed was version 4.0, which implies there should be several previous versions."
Cybereason told SearchSecurity that it informed Dropbox of Operation GhostShell, but that the threat activity is ongoing.
SearchSecurity contacted Dropbox for comment, and the cloud provider said the malicious account has been taken down.