MalKamak, an Iranian state-sponsored cyber threat group, has launched targeted attacks against several global aerospace and telecommunications companies, according to a threat intelligence report from Cybereason.
The cyber threat group has been operating since at least 2018, Cybereason noted. It leverages the ShellClient Remote Access Trojan (RAT), which evades antivirus tools and other security applications and abuses Dropbox for command and control.
Cybereason's Nocturnus and Incident Response teams responded to the Operation GhostShell cyber espionage campaign in July 2021. This campaign targeted aerospace and telecommunications organizations primarily in the Middle East and was used to steal sensitive information about victims' critical assets, infrastructure and technology.
At that time, the Nocturnus team discovered ShellClient, which was employed as the primary espionage tool, Cybereason indicated. The team conducted assessments to determine the operators and authors of ShellClient, which led to the MalKamak discovery.
MalKamak cybercriminals have used ShellClient to blend in with legitimate network traffic, Cybereason noted. They leveraged multiple obfuscation techniques, making it difficult for antivirus tools and other security apps to identify ShellClient attacks.
In addition, MalKamak cybercriminals deployed various attack tools to perform espionage activities on targeted networks, Cybereason indicated. These activities included reconnaissance, lateral movement and collection and exfiltration of sensitive data.
MalKamak attacks may be linked to Chafer APT (APT39), Agrius APT and other Iranian state-sponsored threat actors, Cybereason stated. However, MalKamak has unique features that separate it from the other Iranian threat actors.
What Does the Future Hold for MalKamak?
MalKamak was active as of September 2021, Cybereason pointed out. It also remains under active development, with each new version adding new features.
MSSPs should stay up to date regarding MalKamak and similar cyber threats. That way, they can remain proactive in their efforts to protect against these threats and help their customers do the same.
