(Cybereason) The investigation into Operation GhostShell also revealed that ShellClient dates back to at least 2018, and has been continuously evolving ever since while successfully evading most security tools and remaining completely unknown. By studying the ShellClient development cycles, the researchers were able to observe how ShellClient has morphed over time from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations while remaining undetected. The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: ShellClient
Names: ShellClient
Description: (Cybereason) The investigation into Operation GhostShell also revealed that ShellClient dates back to at least 2018, and has been continuously evolving ever since while successfully evading most security tools and remaining completely unknown. By studying the ShellClient development cycles, the researchers were able to observe how ShellClient has morphed over time from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations while remaining undetected. The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic.
Category: Malware
Type: Exfiltration
Information: https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
Last-card-change: 2021-11-02
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |