ShellClient is a previously undocumented remote access trojan (RAT) built with extra attention to its stealth capabilities on any system it infects.
Apparently, the malware was created in order to help with “highly targeted cyber espionage operations.”
When looking closely at the malware used to target companies in the aerospace and telecommunications sectors, a few researchers discovered a new threat actor that has been running cyberespionage campaigns since 2018.
ShellClient was linked to MalKamak, a malicious actor who exploited it to conduct reconnaissance and steal sensitive data from targets in the Middle East, the United States, Russia, and Europe.
Threat researchers discovered the ShellClient RAT during an incident response engagement that revealed cyber-espionage activities known as Operation GhostShell.
The virus was discovered on compromised PCs masquerading as “RuntimeBroker.exe,” a legitimate function that assists with permission management for programs from the Microsoft Store, according to Cybereason Nocturnus and Incident Response Teams.
Version 4.0.1 of the ShellClient variant used in Operation GhostShell bears the compilation date signature of May 22, 2021.
As explained by BleepingComputer, with each iteration discovered the virus became more functional and moved between multiple data exfiltration protocols and techniques (e.g., an FTP client, a Dropbox account).