The Rise of SHELBY: A New Cyber Threat
A new and dangerous malware called SHELBY is making headlines. It was found attacking a telecom company in Iraq. The malware spreads through phishing emails. These emails trick employees into downloading harmful files.
Once inside, SHELBY silently takes control of the system. It lets hackers steal information and remotely control infected machines. The malware is hard to detect, making it even more dangerous.
SHELBY is especially dangerous because it uses GitHub in a clever way. GitHub is a popular site for storing and sharing code. The malware hides its activities there, making it hard for security systems to spot.
By acting like normal online traffic, SHELBY blends in. This helps it avoid raising suspicion and makes it harder to detect.
Elastic Security Labs, which found the malware, says SHELBY is still being developed. This means the attackers might be testing and improving it. The full impact is not yet clear. However, security experts warn that SHELBY could be used for spying and stealing large amounts of data.
How SHELBY Works: A Sneaky and Sophisticated Attack
The SHELBY malware consists of two key components: SHELBYLOADER and SHELBYC2.
SHELBYLOADER loads the malicious files into the infected system. SHELBYC2 handles communication between the malware and the attackers. With this setup, hackers can send commands, steal data, and control infected devices.
The attack starts with a phishing email. It looks like it is from a trusted source, such as a colleague or an internal team. The email has an attachment that seems safe but is actually malicious. When opened, it installs SHELBY without the victim knowing.
SHELBY uses a safe-looking .NET program called Microsoft.Http.Api.exe to carry out the attack. The program quietly loads the main malware files, SHELBYLOADER and SHELBYC2, into the system. Since the program looks real, security systems are less likely to see it as a threat.
One of the most dangerous parts of SHELBY is its use of Personal Access Tokens (PAT). These tokens work like security keys. They let the malware connect to GitHub. By making small changes (commits) to a private GitHub page, SHELBY talks to its controllers. This helps it avoid detection
Since GitHub is a trusted platform, the malware’s activities blend in with regular internet traffic. This makes it harder for security tools to detect the malicious behavior, giving the attackers greater freedom to control infected systems remotely.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
Why SHELBY Is Hard to Detect
SHELBY’s creators designed it to evade detection by security software. It uses several advanced techniques to stay hidden.
SHELBY uses sandbox evasion to avoid detection. It checks if it is running in a virtual environment. Security experts use these environments to spot malware.
If SHELBY detects analysis, it stops working or changes its behavior. This makes it harder for researchers to study.
The malware also performs system checks to avoid detection. It examines disk sizes, system information, and running processes. By doing this, it can recognize whether it is operating in a controlled environment and adjust its actions accordingly.
Another stealth technique SHELBY uses is running directly from memory rather than storing files on the hard drive. This makes it difficult for antivirus programs to detect or trace, as there are no suspicious files left behind.
Once SHELBY takes control of a system, it allows attackers to remotely execute commands. This includes stealing data, installing additional malware, and controlling infected devices.
The use of Personal Access Tokens is especially concerning. Since the PAT acts as a digital key, anyone who obtains it can take control of infected systems. This means that even other hackers or rogue individuals could potentially exploit the malware for their own gain.
The attackers used GitHub accounts named after Peaky Blinders characters. These included arthurshellby and johnshelllby. Even though these accounts are closed, the SHELBY threat remains. Hackers can create new accounts and keep using the same tricks.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
