DropBox Being Abused in Schemes Against Aerospace and Telecom Companies

 A Boston cybersecurity company, Cybereason, has discovered new attacks targeting aerospace and telecom companies in the Middle East. The goal of these attacks is to collect sensitive information about company assets, infrastructure, and technology. So far, these attackers have been quite successful at evading detection.

What is Going On?

According to The Hacker News, Cybereason has nicknamed these attacks “Operation Ghostshell” saying that “the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that’s deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach.”

After a deep dive into the attacks, threat researchers said, “The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.”

This threat dates back to around November 6, 2018, “previously operating as a standalone reverse shell before evolving to a sophisticated backdoor — highlighting that the malware has been under continuous development with new features and capabilities added by its authors. What’s more, the adversary behind the attacks is also said to have deployed an unknown executable named “lsa.exe” to perform credential dumping.”

Who is Behind the Attacks?

Threat assessors have traced this malware to an Iranian bad actor named MalKamak. The hacker has connections to “other Iranian state-sponsored APT threat actors such as  Chafer APT  (aka APT39) and  Agrius APT, the latter of which was found posing as ransomware operators in an effort to conceal the origin of a series of data-wiping hacks against Israeli entities.”

How Does it Work?

This sophisticated malware does much more than just carry out reconnaissance and exfiltrate personal data. The ShellClient is also a modular portable executable file that can perform fingerprinting and registry operations on a Windows machine. More recently, the RAT has been abusing cloud storage services like Dropbox for command-and-control communications by appearing to be a legitimate file performing standard actions from compromised computers.

The Hacker News explains, “The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands. “Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution,” the researchers said.”

This particular method is also used by another notorious hacker dubbed IndigoZebra who recently targeted “fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.”

How to Secure Your Cloud Services to Avoid Becoming Part of the Problem

Hackers can execute schemes such as the one above by using unauthorized access to Dropbox and other cloud service accounts. Alternatively they infect unsecured devices with malware to perform illegal acts of fraud.

To prevent your computer or your account from becoming part of the problem, follow the tips below to secure your technology:

• Change the passwords for all your cloud-service accounts. Use very long, strong passwords. Invest in a password vault to keep them all secure and help you generate safer passwords.
• Keep antivirus software running on all your devices.
• Never share logins or personal information with anyone you don’t know.
• Use a VPN on your network to safeguard your IP address and keep your online activities private.
• Never reuse passwords, especially for online accounts. Too many of them have been breached and leaked on the dark web.