How new malware SHELBY targets telecom via phishing

Elastic Security Labs has disclosed the emergence of a novel malware family named SHELBY, which has been implicated in a campaign targeting an Iraqi telecommunications company through a phishing attack.

The SHELBY malware family is composed of two distinct components, SHELBYLOADER and SHELBYC2, both of which utilise GitHub commits to perform command-and-control operations. This technique can significantly complicate detection efforts by mimicking legitimate activity seen in many organisations.

SHELBY makes use of Personal Access Tokens (PAT) to gain access to a private GitHub repository.

This allows the malware to authenticate and perform actions independently of the standard Git toolchain. The risk this poses is accentuated by the fact that, should the PAT be compromised, it provides the potential for unauthorised control over infected systems.

According to Elastic Security Labs, "SHELBY is an espionage-motivated threat with interests in Syria. Its name comes from the malicious GitHub accounts behind it — arthurshellby and johnshelllby — a nod to Peaky Blinders characters. The accounts have since been shut down."

A detailed analysis from Elastic Security Labs points to evidence suggesting that SHELBY is still under development. Unused code and dynamic payload loading indicate that improvements or changes may be forthcoming. There remains a critical flaw in the current design: anyone with the PAT can control infected machines, posing a significant security concern.

The attack vector identified involved a phishing email appearing to come from within the targeted Iraqi telecommunications company, aimed at its own employees. The email contained an attachment that, when executed, triggered the malware installation.

This installation utilised a benign .NET executable, Microsoft.Http.Api.exe, which side-loaded the malicious files HTTPService.dll (SHELBYLOADER) and HTTPApi.dll (SHELBYC2). The payload is executed without being written to disk, aiding in the evasion of traditional detection mechanisms.

SHELBY persists through various sandbox detection techniques to avoid analysis in virtualised environments.

Among the methods employed are system information checks via WMI queries, process enumeration, and analysis of disk sizes. This helps the malware determine if it is operating in a sandboxed environment, adjusting its behaviour accordingly.

The malware is configured to retrieve commands from its control server and execute these on the compromised systems. This includes the ability to upload, download, and execute files, further complicating the detection and mitigation efforts of affected entities.

Analysts from Elastic Security Labs noted, "We believe using this malware, whether by an authorized red team or a malicious actor, would constitute malpractice. It enables any victim to weaponize the embedded PAT and take control of all active infections."

The misuse of GitHub for command-and-control functions underscores the rising sophistication and evolving tactics of threat actors. It is recommended that organisations remain vigilant and employ comprehensive security measures to mitigate such threats.