The SHELBY malware family utilizes GitHub as a command-and-control (C2) medium to execute its operations, such as data theft and command retrieval. A significant vulnerability exists as the Personal Access Token (PAT) allows unauthorized control of infected machines. The malware shows signs of active development, indicated by unused code and dynamic payloads. Affected: Iraqi telecommunications sector, GitHub users, malware victims
Keypoints :
- The SHELBY malware family employs GitHub for command-and-control functionalities.
- Utilizes phishing emails with malicious attachments to infect targets.
- Contains critical security vulnerabilities due to exposed Personal Access Tokens.
- The malware exhibits active development with features like dynamic payload loading.
- Employs various anti-sandboxing techniques to evade detection.
MITRE Techniques :
- T1071.001: Application Layer Protocol – The malware uses GitHub API requests for its command and control.
- T1059.001: Command and Scripting Interpreter – PowerShell commands are executed for system commands.
- T1218: Signed Binary Proxy Execution – The malware side-loads malicious DLLs from benign executables.
- T1203: Exploitation for Client Execution – Utilizes a malicious email attachment to execute payloads.
- T1560.002: Archive Collected Data – The malware zips logs and data for transmission to the C2.
Indicator of Compromise :
- [File] details.zip
- [File] JPerf-3.0.0.exe
- [File] HTTPService.dll
- [File] HTTPApi.dll
- [Domain] arthurshelby.click
Full Story: https://www.elastic.co/security-labs/the-shelby-strategy