ShellClient Malware Targets Aerospace Industry Since 2018

foudre malware

ShellClient Malware is a newly discovered Remote Access Trojan that, however, has been in use for over two years. The criminals behind it are tracked under the alias MalKamak, and this particular campaign focuses on espionage. The malicious threat actors went after major companies and institutions active in Europe, Russia, the United States, and the Middle East. The spectacular thing about ShellClient Malware is that because of its low activity and clever design, it managed to stay under the radar for over two years before it was finally identified and dissected. It appears that the primary targets of the ShellClient Malware were parts of the Aerospace and Telecommunications industry.

ShellClient Malware Underwent Major Changes in 2 Years

The latest build of the ShellClient Malware daters back to May 2021 – this is a sure sign that its developers have been regularly releasing updates for their payload. Naturally, all active instances of the malware were automatically updated to the latest available version. Another peculiar thing about this campaign is that the hackers disguised the malware as the legitimate RuntimeBroker.exe process. The latter process is a legitimate Windows component that handles Microsoft Store app permissions.

Another important thing to add about the ShellClient Malware is that its initial variant was much more minimalistic. In fact, it functioned as a basic reverse shell that enabled attackers to execute remote commands. However, over a two year period, it underwent major changes turning it into a fully-fledged, modular Remote Access Trojan.

Since espionage is this threat's primary focus, its main features involve remote code execution and data exfiltration. As mentioned above, it has an auto-update feature and a modular structure, thus enabling the operators to easily manage the implant.

By Ruik
October 7, 2021
October 7, 2021