MalKamak group has been active since at least 2018 and was observed in a targeted espionage campaign that peaked in July 2021, focusing primarily on the aerospace and telecommunications sectors in the Middle East (with additional victims in the U.S., Russia, and Europe). The name MalKamak is derived from Kamak, an ancient Persian mythological creature believed to be responsible for droughts and spreading chaos, reflecting the group’s disruptive capabilities.
The group’s primary tool is a stealthy Remote Access Trojan (RAT) dubbed ShellClient. ShellClient is modular, packed with Costura/zlib, keeps most strings encoded as raw bytes to evade detection, and contains two supporting DLLs (ExtensionLib.dll and ClientCore.dll) that provide AES encryption, fingerprinting, file and registry operations, process creation, and network clients.
In this post, we will explore the major historical operations of MalKamak, highlight their notable attacks on aerospace and telecommunications firms (Operation GhostShell), and examine the group’s tactics, techniques, and procedures (TTPs). In the end, we will show how Picus Security Validation Platform helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
July 2021 - MalKamak attacked the aerospace and telecom sectors using the ShellClient RAT during the Operation GhostShell campaign.
When launched with the -c or -d arguments, the ShellClient RAT performs basic fingerprinting via Windows Management Instrumentation (WMI). It gathers hardware details such as BIOS data and MAC addresses, checks installed antivirus products, and collects networking information, including the public IP address by querying ipinfo[.]io/ip. The collected attributes are then combined to generate a unique agent identifier for each compromised machine:
|
public static string GetFingerPrint() |
The MalKamak group employed PAExec, a redistributable variant of PsExec with extended features, to conduct remote operations across targeted systems. Using PAExec, they launched CMD shells with SYSTEM privileges on remote hosts and managed services by starting, stopping, restarting, and querying their status. They also exfiltrated Active Directory data by remotely invoking csvde.exe to export directory information, verified external connectivity by pinging Google.com, and collected host details through commands such as ipconfig, tasklist, and net use.
The ShellClient RAT installs itself as a Windows Service named nhdService ("Network Hosts Detection Service") using InstallUtil.exe. The service is set to start automatically and run as LocalSystem.
The ShellClient executable stores most of its strings, including configuration data, as raw bytes and converts them to Unicode or ASCII only at runtime.
|
// Token: 0x04000006 RID: 6 |
The ShellClient RAT process was observed running as svchost.exe, while the binary's internal name was set to RuntimeBroker.exe to mimic legitimate Windows processes. It aims to slip past monitoring systems while minimizing visibility.
MalKamak group deployed and executed an unknown tool named lsa.exe to perform credential dumping. The tool extracted the memory of lsass.exe and saved it to a file called debug.bin. Although the executable itself was not obtained for analysis, the behavior and the debug.bin output suggest it may be a variant of SafetyKatz.
The attackers prepared for data theft by using WinRAR to compress sensitive files, employing a copy of rar.exe. This step reduced file size and bundled targeted information, streamlining transfer.
The command and control infrastructure is the most sophisticated component of the Operation GhostShell campaign. The adversary eschewed traditional C2 methods, such as connecting to a dedicated malicious server, in favor of abusing a trusted, legitimate web service. The primary C2 channel utilizes the Dropbox cloud platform. The ShellClient RAT communicates via the official Dropbox API, sending all traffic to legitimate Dropbox domains such as api.dropboxdapi[.]com and content.dropboxapi[.]com.
ShellClient connects to Dropbox using the Dropbox API with a unique embedded API key. Before any communication occurs, it encrypts the data using an AES key that is hardcoded within the ExtensionLib.dll file.
The Dropbox storage is organized into three folders with distinct roles. The AS (Agents) folder holds uploaded information from infected machines. The CS (Commands) folder contains command files that the ShellClient periodically fetches, parses, and deletes before execution, with the victim machine polling this location every two seconds. The code below shows how the actor gets commands from Dropbox:
|
// Token: 0x06000030 RID: 48 RVA: 0x0000304C File Offset: 0x0000124C |
The RS (Results) folder stores the outputs generated after those commands run. Following execution, the ShellClient uploads results to the RS folder using a randomly generated filename derived from the victim’s unique identifier, referred to as HardwareID. The code below shows how the actor uploads command results to Dropbox:
|
private static async void _pstTimer_Elapsed(object sender, ElapsedEventArgs e) |
We also strongly suggest simulating MalKamak Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for MalKamak:
|
Threat ID |
Threat Name |
Attack Module |
|
87458 |
MalKamak Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
70314 |
MalKamak Threat Group Campaign Malware Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
MalKamak is also known as: Operation GhostShell.