Operation GhostShell [ML B-Side]

In July 2021, Nocturnus - Cybereason’s Threat Research and Intelligence team - was called to investigate an espionage campaign targeting Aerospace and Telecommunications companies, mainly in the Middle East. Their investigation resulted in the discovery of a new threat actor that has been operating since at least 2018, and new and sophisticated malware that abuses Dropbox.
Nate Nelson, Our Sr. producer, spoke with Assaf Dahan - Senior Director and Head of Threat Research at Nocturnus - about the investigation.

Find the full report about "Operation GhostShell" at: www.cybereason.com/ghostshell

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Assaf Dahan

Sr. Director, Head of Threat Research at Cybereason

Cyber security expert, with over 15 years of experience in the InfoSec industry - Military and civilian background.

Episode Transcript:

Transcription edited by SODA

[Ran] Hi, and welcome to Cybereason’s Malicious Life B-Sides.
In July 2021, Nocturnus, Cybereason’s threat research and intelligence team, was called to investigate an espionage campaign targeting aerospace and telecommunications companies mainly in the Middle East. Their investigation resulted in the discovery of a new threat actor that has been operating since at least 2018 and a new and sophisticated malware that abuses Dropbox, a cloud storage service.
Cybereason published their findings in a blog post on their website titled Operation Ghost Shell, novel rat targets global aerospace and telecoms firms. Nate Nelson, our senior producer, spoke with Assaf Dahan, senior director and head of threat research at Nocturnus, about the investigation and its discoveries. We bring you the interview, and if you wish to learn more about Operation Ghost Shell, head on to cybereason.com/ghostshell.
That’s it from me, enjoy the interview.

[Nate] Hey, Assaf, if you could just briefly start off with who you are.

[Assaf] My name is Assaf, I’m the head of threat research at Cybereason.

[Nate] So firstly, how did the investigation that we’re going to be talking about today begin?

[Assaf] Well, that’s a good question, we would like to start at the beginning. So at least from our perspective, we started investigating this around July 2021.
So this summer, my team, which is the Nocturnus team, the research team, was called along with the our incident responders to investigate a breach and intrusion that occurred in a company that is related to aerospace in the Middle East. So we were called there and this is how this investigation started.

[Nate] What are the risks that face the kinds of companies that you’re talking about? Why do hackers target aerospace corporations?

[Assaf] Well, there are multiple threat actors. I mean, like the aerospace or the telecommunications landscape is quite vast.
Of course, you’ll have like more opportunistic or financially driven threat actors going for those companies or industries.
You have to remember that at the same time, there are nation state threat actors that might want to conduct cyber espionage, basically, they would want to steal either sensitive information or the technology that is developed in those companies.

[Nate] So you’re called into this company in the Middle East.
What happens when you get there? And how do you remediate the immediate threat?

[Assaf] So we got there. We definitely saw a very suspicious activity going on. Some of the activity included rather generic tools that you’d find in many attacks.
We did came across a very interesting binary that led us to believe that, OK, this is something that is slightly out of the ordinary and I’ll get to that later. It took us about, I think, a week or two to clean the environment that the attackers were deployed there for a couple of months before we got to the scene. So we had to make sure that we were thorough, but we were able to contain the incident.

[Nate] All right. So at this point, you’ve booted the attackers out of the network and maybe you have a chance to take a breath and analyze what you found.
So as you’re going through your findings, what starts to stand out?

[Assaf] So one of the multi-million dollar question is who’s behind it? What is the threat actor motivation? So it’s a question around attributions because we said that there could be potentially many threat actors. It could be some opportunistic cyber criminals, could be governments.
So we try to determine what the attackers wanted, so what type of information they were after and as well as try to establish their modus operandi, basically to profile the attacker based on what we’ve seen because at Cybereason, like many other companies, we have threat profiles for each major APT group or cyber criminal group and different malware.
So once we started comparing our notes, our observations with all the other threat actors and malware that we are aware of and we couldn’t find any match, especially when we saw this binary, one of the, I guess, the major attack tool, the major espionage tool that was used by the attackers, we realized that it didn’t look like anything we’ve seen before.
It was not documented anywhere in the internet as much as we tried at the beginning. We couldn’t get any lead on the identity of its authors and so on. But we are very persistent and curious minded people at my team, so we kept pulling more threads and more threads.

[Nate] All right. But before we go any further, I don’t believe that we’ve yet reviewed what the malware actually looks like.
Assaf, could you tell me just a bit how this malware is built, how impressive it is, how threatening it is, just what it looks like under the hood?

[Assaf] We classified this malware as a rat remote access trojan. Basically it gives the attackers full capability or full access to the infected host. The attackers can run arbitrary commands, download further payloads, steal information move laterally, basically they can do almost everything that they want once they’ve infected a host.
In our blog, we actually show some of the actions that these attackers took. It’s a rather sophisticated type of malware. In our blog, we actually look at the evolution of this malware because we found traces of this malware going back all the way to 2018 later in our analysis. But at the beginning, we just noticed it was a very sophisticated remote access trojan.
Another cool feature that this trojan had, which made the attribution or the analysis slightly difficult, is that it did not communicate with our classic C2 domain or IP, but it communicated with Dropbox. Basically the attackers implemented a Dropbox client baked into the malware and they set up some fake Dropbox account or Dropbox account, doesn’t have to be fake. Basically it was a bilateral type of communication between the malware authors or the operators and the malware. The malware operators would leave commands on the Dropbox account in a certain folder. The malware, the threat, which we call shell client, by the way, would pull this account for every two minutes or so, check if there are new commands, decrypt the commands, execute them and then once they executed the command, it will collect the output or all the information that it stole and upload it back to Dropbox.
That was a very cool way of staying under the radar because Dropbox, as you know, is a legitimate service, nobody would raise an eyebrow if they saw some traffic going out from the network to Dropbox or for that matter, any other cloud-based solution, whether it’s Google Drive or Facebook or GitHub for that matter, it makes it less suspicious, I guess.

[Nate] That’s interesting. Have you ever seen attackers use something like Dropbox or Google Drive before in this kind of way?

[Assaf] Okay. It’s a good question, Nate. Yes, actually at Nocturnus, we reported that another threat actor, which we call mall rats, had used Dropbox in a similar fashion.
Before that, we reported other threat actors, both from the cyber criminal side of the house and also the nation-state threat actors using different platforms such as Facebook and Twitter and GitHub and Bitbucket. It seems that it’s trending.
It started a couple of years ago and as time goes by, we see more and more threat actors using or opting for this option of basically abusing legitimate cloud-based services. It makes a lot of sense from an operational security perspective.

[Nate] What can these kinds of service providers do to try and prevent malicious actors from using their platforms in these kinds of ways?

[Assaf] Yes. First of all, I’m aware that, or as far as I know, these companies have excellent threat intelligence and security teams and they’re working to the best of their abilities to stop such attacks from happening.
However, if you consider the number of potential Dropbox account or Facebook accounts or Gmail accounts that are out there, in a way, it’s like searching for a needle in a haystack and the attackers are always one step ahead, so it makes their job quite difficult.
That being said, this is also one of the reasons why we publish this report publicly. We want to contribute to the community and specifically for those type of companies because
I feel like they could be doing more. There are certain, I guess, behavioral patterns that they can, I guess, that are in our report that they can learn from and possibly enhance their security.

[Nate] The other thing that you mentioned earlier that I don’t want to skip over is that you guys managed to find that the malware had roots that were about three years old. How as analysts do you figure that out in the first place?

[Assaf] Yes, that was one of our, I guess, greatest achievement with this investigations because at the beginning, the first couple of weeks, we were, as I told you, we reached dead ends. We couldn’t find anything on this malware, but we didn’t give up. I think that’s one important quality for any type of researcher, don’t give up.
We just looked at it from different angles and luckily, we realized that some of the metadata that was embedded in the malware binary, we were able to pivot on it and find an earlier sample from, I guess, 2019, I think. From there, we were able to pull other indicators, so we were able to work our way all the way back to the initial variant that was created in 2018.
That was a really fun rabbit hole, if you can call it that way, that we entered after trying many other rabbit holes that led to dead ends. This one was a successful one and we could see how this malware evolved from a very simple reverse shell back in 2018, really, possibly one of the simplest we’ve seen, to a fully fledged sophisticated rat.
We saw that every couple of weeks, every couple of months, they came up with a new version. Each version extends the capabilities of its previous version, adding an additional layer of stealth, so that was really, really interesting to see. You could see how the coders there worked, so it was really nice.

[Nate] What do you think that we can reasonably infer from the evolution of the malware about who the attackers were, or their motives, or anything else that’s important about this campaign?

[Assaf] Well, there could be several things that could be deduced from this evolution research.
Perhaps one of the most interesting ones is that there are very little available samples out there. Aside from the samples that we got from our customers, there are maybe six or seven samples available on VirusTotal from the last three years. This is a very, very low number of… When you look at a malware, take any commodity malware. You go three years back, you’ll find it by the thousands, if not more. This is a nation-state threat actor, more sophisticated, more confidential, still the expectation is that you’ll find a couple of dozens, a couple of hundreds over the course of three years.
We’ve seen threat actors, nation-state threat actors, that if you go three years back, you’ll find thousands of samples. Here we only were able to find six or seven of these, which really tells you how tight this operation was run. They kept the target list very small, targeting only select few. It was like a surgical type of operation. They did not want to risk the exposure of this malware.
It’s not like a prolific type of operation where you just cast a wide net and catch whoever you catch. This is a very close-knit type of operation. This is one thing that we could deduce from analyzing the evolution of this malware.
With regards to the threat actor, you could see when you analyze the code, when you analyze their operational security, when you analyze the way they conducted and operated themselves while they were on the environment, we could tell that this is likely a nation-state threat actor, an Iranian one. We found some interesting connection to other Iranian groups. Our conclusion was that this group is quite distinct. May have some connections that we do not fully know how to explain to other groups, but we feel that this is a completely independent group because it doesn’t match any of the other Iranian groups’ patterns that we know.
This group has been operating since at least 2018, and nobody knows anything about it. There’s no documentation of this kind of operation anywhere to be found publicly, at least. I’m sure some three-letter agencies must have some information about them, or maybe they don’t, but it’s still very interesting.

[Nate] Why do you think it is?
Is it that the attackers were just so careful not to make themselves known? Is it that the malware is particularly good from a technical standpoint at hiding itself? What do you think is at the core of how these attackers were able to stay completely under the radar for three whole years?

[Assaf] I think it’s a combination. It’s a little bit of both.
If you look at the first versions of the malware, it wasn’t that stealthy. It was actually quite noisy, so I think they built up the stealth over time.
Even if you look at the older samples, at the beginning, not many anti-virus companies detected them when they first were submitted to VirusTotal. They had a rather low detection rate, so that’s one thing.
I mainly attribute it to the very low number of samples that is out there. I think this malware was kept for special ops or highly targeted operations. They didn’t use it lightly. I think this is ultimately how they were able to remain, to fly under the radar for such a long time, just by reducing the exposure of this malware.
Also, this malware, for instance, it would check for the presence of anti-virus software. It could kill itself. It has a suicide function if it recognizes that it’s likely to be detected and so on. As I said at the beginning, it’s a little bit of both, or of everything in a way.

[Nate] We know now about these attackers’ existence and some details about them, but of course, there are as many questions as there are answers, so Assaf, as much as you can reasonably infer such things, what do we really believe about these hackers?
What do we think they want? What are they motivated by, and can we expect more from them?

[Assaf] Well, I guess you cannot really ignore or detach the threat actor origin. We have good reasons to believe that this threat actor is an Iranian-based threat. We should probably consider the geopolitics of it all, and how might an Iranian threat actor benefit from hacking into aerospace and telecommunication companies throughout the Middle East, but also in the US, Europe, Russia?
One can only imagine what type of information could be beneficial for the Iranian regime when they target such industries.

[Nate] Now that we’ve heard the story, Assaf, what would you like listeners to take away from all of this?

[Assaf] I think that first and foremost, you really want to stay vigilant, and don’t just close an incident by containing it. You really want to understand who’s behind it, how did they get in? You want to perform a root cause analysis. You want to understand the motivation of the attack, and this is really important.
I think this is where context really matters here, and attribution matters. The fact that we were able to uncover an operation and a malware and a new threat group that has been operating for at least three years without anyone knowing about it, at least publicly, I think this is a good example of how you can facilitate your research to support your incident response and other types of security services or security operations within a given company. This is one key takeaway.
The second thing is, I guess one of the reasons that we go public with this report is that we really want to raise awareness to such attacks, whether it’s the Dropbox angle or just simply how a sophisticated threat actor can bypass a lot of security mechanism and security solution and stay under the radar for a long time. That’s why our report, like many of our reports, are very rich in data. Lots of example, lots of screenshots, the commands that were used, the tools. We have MITRE mapping, and the reason we do that is, aside from the IOCs that we published, this is the low-hanging fruit that other security practitioners can look for, there’s a lot of behavioral information that can be inferred or learned from our report.
I think this could be a really good start for security practitioners, especially the aerospace and telecommunications industry, but potentially other industries as well, to start looking for similar threats in their environments.

[Ran] That’s it for this B-side episode. Thank you for listening.
If you’re curious about Operation Ghost Shell and wish to learn more about the Shell Clant Rat, the newly discovered Iranian threat actor, Malkamak, you’ll find the full report at Cybereason.com/Ghostshell.
As always, our website is Malicious.life and you can follow us on Twitter at @MaliciousLife or me at @Ranlevi, that’s R-A-N-L-E-V-I.
Malicious Life is produced by PIMedia, Nate Nelson is our senior producer, sound design by Benora Barry.
Thanks to Cybereason for underwriting the podcast.
Learn more at Cybereason.com.
Bye bye.