Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms | #microsoft | #hacking | #cybersecurity

In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. 

The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. 

The Nocturnus Team found evidence that the ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.

Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups. 

Key Findings

      • New Iranian Threat Actor MalKamak: A newly discovered Iranian threat actor dubbed MalKamak that has been operating since at least 2018 and remained unknown thus far. In addition, the investigation draws possible connections to other Iranian state-sponsored threat actors including Chafer APT (APT39) and Agrius APT.
      • Discovery of New ShellClient RAT: The Cybereason Nocturnus team discovered a sophisticated and previously undocumented RAT (Remote Access Trojan) dubbed ShellClient used for highly targeted cyber espionage operations.
      • Targeting Aerospace and Telecom Companies: Based on the telemetry, this threat has been predominantly observed in the Middle East region, but has also been observed targeting organizations in the U.S., Russia and Europe, with a focus on the Aerospace and Telecommunications industries. 
      • Ongoing Development Since 2018: Our investigation revealed this threat was first operationalized in 2018, and since then has been under active development with each new version adding more features and stealth. This threat is still active as of September 2021. 
      • Abusing Cloud Services for C2: The most recent ShellClient versions were observed to be abusing cloud-based storage services for Command and Control (C2), in this case the popular Dropbox service, in order to remain undetected by blending in with legitimate network traffic.
      • Designed for Stealth: The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect. 

ShellClient: The Silent RAT

The following sections recap the recently observed Operation GhostShell campaign and the evolution of this stealthy ShellClient RAT, which has been operationalized and actively developed since at least November 2018.

Recent Campaign

In July 2021, Cybereason encountered an unidentified threat actor carrying out a cyber espionage operation using a previously undocumented and stealthy RAT dubbed ShellClient

Using this RAT, the threat actors were first observed conducting reconnaissance and the exfiltration of sensitive data from leading Aerospace and Telecommunications companies in the Middle East region, and was later observed targeting the same industries in other regions including the U.S, Russia and Europe.

When first inspecting the ShellClient RAT, the malicious binary was found to be running on victim machines as “svchost.exe” while its internal name was disguised as “RuntimeBroker.exe”:

ShellClient RAT internal name masquerades as a legitimate Microsoft RuntimeBroker.exe binary

This executable was determined to have been compiled on May 22nd, 2021, and was observed to be executing adjacent to additional TTPs. 

ShellClient Structure and Configuration

The ShellClient RAT is a modular PE leveraging Costura to compress each of the modules using zlib:

ShellClient RAT utilizing Costura

Two of the references are DLLs containing supporting functionalities: 

    • ExtensionLib.dll contains utilities and functionalities such as:
      • AES Encryption, including an AES Key and an Initialization Vector (IV)
      • Hashing
      • File Operations
      • Registry Operations
      • Process Creation
      • Serialization


    • ClientCore.dll holds other core functionalities of the the client such as:
      • Fingerprinting
      • File Operations
      • User Impersonation
      • Token Handling
      • FTP Client
      • Telnet Client
      • Settings & Strings


The executable stores most of the its strings, including configuration strings, as bytes and then converts them in real-time to Unicode/ASCII to evade antivirus strings detection:

ShellClient using Unicode/ASCII to evade antivirus strings detection

Execution Flow

The ShellClient RAT executes according to the following arguments:

    • If no arguments are provided, the binary executes itself using InstallUtil.exe to install and run a malicious nhdService service
    • If there is one argument and it is equal to -c, the binary will be executed using the Service Control Manager (SCM) to create a reverse shell, communicating with a configured Dropbox storage as a C2
    • If there is one argument and it is equal to -d, the binary will execute as a regular process

ShellClient RAT arguments

When either of the -c or -d arguments are provided, the malware performs basic fingerprinting using WMI to collect:

    • Hardware information such as BIOS information, Mac address, etc.
    • Networking Information including a request to ipinfo[.]io/ip to retrieve the public IP address of the infected machine
    • Which antivirus products are installed 

The abovementioned collected information is also used to create a unique agent identifier for each infected machine:

Creating a unique identifier

Command and Control (C2) Communications

The C2 communications this malware implements are quite unique, as they rely on “cold files” being saved to a remote Dropbox, instead of a common interactive session. This method of communication is an interesting Operational Security (OPSEC) solution, making it difficult to trace the threat actor’s infrastructure by utilizing a public service such as Dropbox.

To communicate with Dropbox, ShellClient uses Dropbox’s API with a unique embedded API key. Before communicating, it encrypts the data using an hardcoded AES encryption key.

The Dropbox storage contains 3 folders:

    • AS Folder (Agents Folder): Stores uploaded information on infected machines
    • CS Folder (Commands Folder): Stores commands to be fetched, executed and then deleted by ShellClient
    • RS Folder (Results Folder): Stores the output of commands executed by ShellClient

Every 2 seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution:

ShellClient C2 Communications

After executing the commands, the executable uploads the results to the corresponding folder with a randomly generated file name based on the unique victim ID that the threat actor calls as HardwareID:

ShellClient C2 Communications

The destinations for these communications will be api.dropboxdapi[.]com and content.dropboxapi[.]com.

Persistence and Privilege Escalation

The ShellClient RAT achieves persistence and privilege escalation to run with SYSTEM privileges on victim machines by creating the nhdService disguised as Network Hosts Detection Service:

    • Service Name: nhdService
    • Display Name: Network Hosts Detection Service
    • Description: Searches and manages hosts in the Network and Dial-Up Connections folder, where both local area network and remote connections are viewable
    • Start Type: Automatic
    • Account: LocalSystem


Supported Commands

The executable contains multiple command functions that enable its capabilities, including arbitrary command execution, FTP/Telnet clients, lateral movement, file manipulation, etc. 

In addition, the malware contains several command functions that seem to do nothing and have no reference in the code; this could indicate that the malware is still under development.

The following table describes the purpose of each command:




Query hostname, malware version, executable path, IP address and Antivirus products 


Execute an updated version of ShellClient


Self delete using InstallUtil.exe


Restart the ShellClient service


Start a CMD shell


Start a PowerShell shell


Add to the results message the following line: “Microsoft Windows Command Prompt Alternative Started …”


Open a TCP Client


Start a FTP client


Start a Telnet client


Execute a shell command


Kill active CMD or PowerShell shell


Query files and directories


Create a Directory


Delete files and folders


Download a file to the infected machine


Upload a File to Dropbox


Does nothing


Download a file to the infected machine and execute it


Lateral movement using WMI


ShellClient C2 Commands

Additional TTPs Observed with ShellClient

Using the ShellClient RAT, the threat actor deployed additional tools to perform various activities to support their operation such as reconnaissance, lateral movement, data collection and more.

Lateral Movement

The attackers were observed using PAExec and “net use” for lateral movement. PAExec is a redistributable version of the famous Sysinternals PsExec, with some additional options. 

The attackers leveraged PAExec to:

    • Execute a CMD shell as SYSTEM on remote machines
    • Perform remote service related operations like start, stop, restart, status and more
    • Exfiltrate organizational Active Directory structure using a remotely executed csvde.exe -f < output file > command
    • Check internet connectivity using ping to reach Google.com
    • Gather host information by executing ipconfig, tasklist and net use

ShellClient leveraging PAExec as observed in the Cybereason Defense Platform

Credential Dumping Tool

During the observed attacks, the ShellClient RAT activity group deployed and executed an unknown executable named lsa.exe to perform credential dumping. Lsa.exe dumped the memory of lsass.exe to a file named debug.bin and was observed executing with the following command-line arguments:

Although the Cybereason Nocturnus team was unable to retrieve the lsa.exe executable, we speculate the tool might be a variation of the tool SafetyKatz based on the debug.bin dump file the tool creates, which is also the name of the dump file created by SafetyKatz that was previously tied to Iranian threat actors:

ShellClient credential dumping as observed in the Cybereason Defense Platform


In order to exfiltrate data, the attackers used WinRar to compress important files before data exfiltration using a renamed rar.exe WinRar file:

ShellClient using WinRar to compress data before exfiltration

The Evolution of ShellClient and Finding the Missing Link

Known ShellClient RAT version history timeline

One of the questions that came up during the investigations was regarding how far back the use of the malware can be observed. At first it was thought to have been developed recently since there was no publicly available documentation or any mention of it available. However, the code indicates that the sample we analyzed was version 4.0, which implies there should be several previous versions.

With that in mind, the investigation revealed the missing link in a .NET GUID that appeared in the metadata of the observed sample. Pivoting on this unique identifier, we were able to uncover an older instance (version 3.1, VT link) that used the same .NET TypeLibID GUID, a unique ID generated by Visual Studio per project – fd01304b-571f-4454-b52b-19cfb8af44a9:

Shared .NET TypeLib Id GUID between the recent and the older version of ShellClient

From there, finding the other previous versions of ShellClient was achieved by pivoting searching for string and code similarities. This pivoting process proved that ShellClient has been under continuous development since at least November of 2018, marking almost three years of development work to evolve the malware from a simple standalone reverse shell to a stealthy modular espionage tool. 

In each new iteration of the malware, the authors added new features and capabilities, attempting to use various exfiltration protocols and methods, such as using an FTP client and a Dropbox account to hide in plain site. In addition, from version 4.0.0 and up, the authors made significant design and architecture changes like introducing modular design. 

Below is a summary of the variants that were discovered so far:

VT Link

Variant Version


Compilation Date

First Submission Date

PDB Path 

VT link




2018-11-06 21:35:41

2018-11-11 15:28:46

VT link



2018-11-29 23:41:15

2020-04-15 23:22:13

D:projects 7 – Reverse ShellShellClientServer_HTTPobjReleasesvchost.pdb

VT link



2018-12-16 11:19:14

2020-04-14 22:59:49

E:Projects (Confidential) 7 – Reverse ShellShellClientServer_HTTP.v2objReleasesvchost.pdb

VT link



2019-01-12 18:37:20

2019-01-17 22:53:43

D:Visual Studio 2017v3.1ShellClientobjReleasesvchost.pdb

VT link


RuntimeBroker.exe / svchost.exe

2021-08-10 11:14:51

2021-09-22 09:18:59

VT link


RuntimeBroker.exe / svchost.exe

2021-05-22 12:06:05

2021-07-20 16:16:06


Known ShellClient RAT version history

Overview of ShellClient Evolution 

Earliest Variant (November 2018)

The earliest variant traced was compiled on November 06, 2018, and was purposefully named svchost.exe to allow it to masquerade as a legitimate Windows binary. This early variant is not very rich in features and lacks the sophistication and functionality that are manifested in its successors. In essence, it is a rather simple reverse shell

Main Features:

    • File description: Windows Defender Service
    • Core functionality: Simple websocket-based reverse shell
    • Hardcoded C2 domain: azure.ms-tech[.]us:80


Variant V1 (November 2018)

The second oldest variant emerged about 3 weeks after the initial version. This variant is more mature and contains capabilities of both of a client and a server, including a new service persistence method disguising as a Windows Defender Update service. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 

Main Updates:

    • File description: Host Process For Windows Processes
    • Core functionalities: 
      • Predefined set of C2 commands
      • Executing arbitrary commands via CMD shell or PowerShell
      • Client and Server components
      • Persistence via Windows Service, masquerading as Windows Defender
      • Base64 encoding/decoding for data sent from / to C2

Version V2.1 (December 2018)

Compiled approximately 2 weeks after variant V1, this variant keeps the same name and description attributes but shows further progress in development by adding a variety of new capabilities, including FTP and Telnet clients, AES encryption, self-update capabilities and more. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 

Main Changes:

    • Core functionalities: 
      • Implementing FTP and Telnet clients
      • AES encryption of data sent to the C2
      • Self-updating feature
      • Client ID and versioning attributes added
      • Extended set of predefined C2 commands

Variant V3.1 (January 2019)

About a month after the emergence of variant V2.1, the V3.1 variant was seen in January of 2019. It has mostly minor changes in regards to functionality. The main difference is the removal of the “Server” component from the executable, as well as new code obfuscation and an upgraded commands menu. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 

Main Changes:

    • Core functionality: 
      • Removal of the Server component
      • Introduction of command-line arguments
      • First attempts of code obfuscation
      • More predefined C2 commands
      • OS fingerprinting via WMI

Variant V4.0.0 (August 2021)

Perhaps one of the biggest advancements in the ShellClient evolution came with version V4.0.0 and continued with its successor V4.0.1, in which the malware authors implemented many changes and improvements, adding new capabilities, enhancing code obfuscation and code protection using Costura packer, as well as abandoning the C2 domain that was active since 2018. 

The traditional C2 communications were replaced with a Dropbox built-in client, abusing the popular online platform to send commands to ShellClient as well as storing the stolen data exfiltrated to a designated Dropbox account. This ultimately makes it harder to detect since the network traffic would appear legitimate to security analysts as well as most security solutions. 

Note: For full analysis of the variants, please refer to Appendix A in the IOCs popup in lower right of your screen. 


During the investigation, efforts were made to identify instances of the ShellClient code and to determine its origin or affiliation with known threat actors. Given the fact that ShellClient was previously undocumented and unknown at the time of the investigation, and the identity of the threat actor behind the attack was unclear, the Nocturnus Team first attempted to find links to known adversary groups that have carried out similar attacks in the past against this industry and the affected regions. 

While some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors. In publishing this data, it is hoped that more attention will be given to this threat and over time more information about ShellClient origins will emerge. 

Likely Nation State-Sponsored Threat Actor

The current working assumption is that ShellClient was created and maintained by a nation-state sponsored threat actor, or Advanced Persistent Threat (APT). The intrusions analyzed by Cybereason suggest that the motivation is cyber espionage against a very small set of carefully selected targets. This is supported by the fact that there are very few samples found in the telemetry or in-the-wild since 2018, in contrast to commodity malware that can usually be found in abundance. 

In addition, the PDB path that is embedded in some of the ShellClient samples suggests that this malware is part of a restricted or classified project that could be related to military or intelligence agency operations: 

E:Projects (Confidential)

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

nine + 1 =