Security News > 2021 > October > Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms
Details have emerged about a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology while remaining in the dark and successfully evading security solutions.
"The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," researchers Tom Fakterman, Daniel Frank, Chen Erlich, and Assaf Dahan said in a technical deep dive published today.
Investigation into the attribution of the cyber-attacks has also yielded an entirely new Iranian threat actor named MalKamak that has been operating since around the same time period and has eluded discovery and analysis thus far, with possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT and Agrius APT, the latter of which was found posing as ransomware operators in an effort to conceal the origin of a series of data-wiping hacks against Israeli entities.
The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands.
"Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution," the researchers said.
The aforementioned modus operandi mirrors a tactic adopted by another threat actor called IndigoZebra, which was uncovered as relying on Dropbox API to store commands in a victim-specific sub-folder that's retrieved by the malware prior to execution.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/CWLIwnoeDJI/iranian-hackers-abuse-dropbox-in.html
Related news
- Iranian hackers charged for ‘hack-and-leak’ plot to influence election (source)
- MoneyGram confirms hackers stole customer data in cyberattack (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign (source)
- US says Chinese hackers breached multiple telecom providers (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks (source)