Security vendor Cybereason published a document recently indicating Iran's MalKamaki Cyber threat group has operated in the wild and stayed undetected by using Dropbox's cloud storage service since 2018. Companies in the telecoms and aerospace industries were targeted, including those in the Middle East, Russia, and Europe.
Cybereason researchers Assaf Dahan, Daniel Frank, Tom Fakterman, and Chen Erlich wrote in the report that the intrusions are motivated by a cyberespionage campaign against a very small set of carefully selected targets. This can be affirmed by the fact that very few samples have been detected in telemetry or in the wild since 2018, as compared to commodity malware, which is most widely distributed.
"ShellClient," a Remote Access Trojan (RAT),
is the primary tool used by the group to compromise systems and spread around
networks undetected by antivirus software.
Using Dropbox file storage as a command and control platform is one of the more interesting tactics adopted by the group. It is possible for the malware to control and transfer files without being detected by network monitoring tools by running checks every two seconds via the Dropbox API.
In the report, it was noted that the malware's C2 communications were quite unique, involving 'cold files' being saved to a remote Dropbox instead of a common interactive session. Interestingly, this method of communication is a form of Operational Security, as it undermines the ability to track threat actors' infrastructure by utilizing a public service like Dropbox.
While Cybereason has notified Dropbox of the RAT's use of its service, the company has not taken action so far. Cybereason points out that even if this CC account were disabled, hackers could create a new account and play whack-a-mole with the service.
Along with receiving commands via Dropbox, the RAT uses .exe files as well. In the first case, credentials and memory contents are collected, while in the second, data is compressed and uploaded by a modified version of WinRAR.
One of the questions raised during the investigation was, "How far back can the malware be traced?" the researchers said. "First, it was assumed to have been developed recently since there was no publicly accessible documentation or anything like that." Although the code indicates that the sample analyzed is version 4.0, this implies there are several previous versions.
Are you also willing to learn more tricks, tools, concepts, threats, and attacks, of cybersecurity? Then join InfosecTrain to get the best quality training.
InfosecTrain
InfosecTrain is a leading provider of consultancy services, certifications, and training in information technology and cyber safety. Our accredited and skilled trainers will help you understand cybersecurity and information security and improve the skills needed. Not only do they give you the best training, but they will also expose you to new challenges that will be very helpful to you in the coming future. Enroll in our Cyber Security course today to experience the practical sessions and excellent training from the best trainers.
