ShellClient Malware

ShellClient Malware Description

Infosec researchers have uncovered a new espionage malware that is part of the toolkit-a of a previously undisclosed threat actor. Named ShellClient, the threat is a Remote Access Trojan (RAT) that appears the be deployed only in highly target cyberespionage operations. 

New Threat Actor

The ShellClient malware is being attributed to a separate cybercrime group that is being tracked as MalKamak. The hackers are believed to be responsible for a range of targeted reconnaissance attacks against targets from a multitude of different countries, including the U.S., Russia, members of the EU and countries in the Middle East. The goal of the hackers appears to be the acquisition of highly sensitive information from a handful of specifically chosen targets. Certain overlaps in code, naming conventions, and the employed techniques point towards MalKamak being a nation-state cybercrime group with connections to Iran. 

Threatening Functionality And Evolution

The ShellClient malware is designed to be especially stealthy, ensuring a prolonged presence on the compromised machines. The threat disguises itself as 'RuntimeBroker.exe.' The legitimate process is responsible for permission management for Microsoft Store applications. 

The earliest versions of the malware are dated back to 2018 but, back then, ShellClient was a very different threat - just a simple standalone reverse shell. In the following years, the MalKamak hackers released several versions of the malware transforming it more and more into a fully-fledged RAT with each subsequent one. For example, the 4.0 iteration included better code obfuscation, the use of the Costura packer, the removal of the C2 domain used since 2018, and the addition of a Dropbox client. If the development of the threat has reached a final point remains to be seen.