The attacks were carried out by an Iranian group called the Malkamaki.
a state sponsored cyberThe spying campaign is targeting companies globally, including in the US, says a new report.
The cyber attacks were carried out by a newly discovered Iranian group Malkamak, cyber security firm CyberSun said in a new report.
CyberSun said the group has been operating “under the radar” since at least 2018.
Microsoft: Russia behind 58% of state-backed hacks
In July, Cyberion’s investigative teams responded to Operation Ghostshell, a “highly targeted cyber espionage” campaign aimed at stealing sensitive information from global aerospace and telecommunications companies primarily in the Middle East but also from companies in the US, Europe and Russia. Is.
During the investigation, Cyberiasan’s Nocturnus team uncovered a previously unspecified remote access Trojan, or RAT, that was employed as a primary spying tool.
A Trojan horse, or Trojan, is malicious code that appears to be legitimate but is designed to harm computer networks or steal sensitive data. A RAT typically allows an attacker to gain unauthorized remote access for covert surveillance.
Asaf Dahan, head of threat research at CyberSun, told Granthshala Business, “We saw the evolution of a malware that started out very simple and over time turned into a sophisticated spying tool.”
“The RAT itself can conduct reconnaissance and collect information about users and infected hosts,” Dahan said.
RAT ditched antivirus tools, using Dropbox as a cover.
According to Dahan, “the Malkamak threat group … created Dropbox accounts and used them for their command-and-control purposes.”
“Essentially, they used Dropbox to conduct their operations right under the noses of security professionals. It’s a clever way to hide in plain sight because Dropbox is a trusted brand – and traffic to a legitimate site is usually suspicious of some. security products and analysts,” Dahan said.
Malware authors also implemented a kill function that instructs malware to remove itself if they believe their operation may be at risk.
“It is very likely that Malkamak excommunicated [stole] Hundreds of terabytes of data since starting its operations in 2018, Dahan said.
The Iranian group behind the attack is probably linked to other Iranian state-sponsored actors.
“When we compared the Malkamak to known Iranian groups, we found some potentially interesting connections to other Iranian state-sponsored threat actors,” Dahan said. However, it is still speculation and they need more time to form a definitive relationship.
But the objective is the same: the aerospace and telecommunications sectors are key targets for Iran, said Chris Morgan, senior cyber threat intelligence analyst. digital shadow, the San Francisco-based cybersecurity firm told Granthshala Business.
“Acquiring sensitive information relating to these areas … could provide a strategic advantage to Iran, which was the overall goal of the Ghostshell campaign,” Morgan said.