MalKamak behind sophisticated cyber-attacks using Dropbox

Details have emerged of a highly-targeted cyber espionage campaign by a group named MalKamak that is targeting the aerospace and telecommunications industries across the middle east, USA, Russia and Europe.

A cybersecurity firm by the name of Cybereason located in America claims it has found a newly discovered cyber threat group called MalKamak and are attributing the group to be originating from Iran. This threat actor is believing to be active since 2018 at least and have undergone several versions and adding new functionalities as it develops, according to researchers at Cybereason who released a Technical Overview of the operation today.

What is MalKamak using?

A sophisticated and previously undocumented RAT (remote access Trojan) named ShellClient was used for targeted operations by MalKamat. Using this RAT the group was seen conducting reconnaissance and the exfiltration of sensitive data from aerospace and telecommunications companies.

How it works

besides carrying out data exfiltration, ShellClient is engineered as a modular portable executable that is capable of performing fingerprinting and registry operations. What is exceptional and unique about this RAT is the ability of the RAT to abuse cloud storage services such as Dropbox for command and control communications which has allowed the RAT to stay under the radar by blending in with legitimate traffic.

According to the researchers at Cybereason the Dropbox storage has three folders each storing information about the infected machines, commands to be executed by the ShellClient RAT, and the results of those commands. Every few seconds the victim machine checks the commands folder to retrieve any files that represent commands, analyzes the content, then deletes them from the remote folder and enables them for execution.

 

Who is behind MalKamak?

Assessments as to the identity of the cyber actors have lead the investigators to identify what they are calling a new Iranian threat with other possible connections to Chafer APT (APT39) and Agrius APT however they do not reference or provide evidence of how they came to this conclusion.

The structure of this tactic resembles those of IndigoZebra who also used the Dropbox API to store commands on victim-specific sub-folders however IndigoZebra is suspected to be some sort of Chinese- speaking group or person who was previously identified as targeting the Afghan Government and so unlikely that it would be the work of this group.

Could this simply be a case of a lone individual looking to make some money? When work is hard to find people will do whatever it takes to feed their families especially if you are a highly skilled technical expert who is down on your luck.

Due to the sophisticated nature and build of the RAT and its execution structure leads us at ICNA and indeed other cybersecurity experts to believe that this type of threat must surely have the financial backing and know-how of a capable state-sponsored cyber actor. The Hacker News and Cybereason both attribute the attack to the Iranian state and we know the abilities of the Iranian cyber community are great and vast so so this could reasonably be the work of Iranian cyber actors.

Looking at the targets we know of so far the large media outlets are saying MalKamak have targeted Telecommunications and Aerospace companies which are traditional targets of nation states. These targets represent billions of dollars of proprietary technology potentially up for grabs which makes them a shiny target for any country engaging in cyber warfare and there are many departments within Iran alone that we could point to who would have a deep interest in pursuing this avenue of attack as the reward would be extremely valuable.