Elastic Security Labs has uncovered a sophisticated malware family dubbed SHELBY that leverages GitHub repositories for command-and-control (C2) operations.
The malware, consisting of two components SHELBYLOADER and SHELBYC2 was discovered during an investigation into the REF8685 intrusion campaign targeting organizations in Iraq and the United Arab Emirates.
SHELBYLOADER, the initial payload, employs various sandbox detection techniques to evade analysis.
It generates a unique identifier for each infected machine based on system-specific information and uses this to create a dedicated directory in a GitHub repository.
The loader then attempts to retrieve a decryption key from a file named License.txt in this directory, which is used to decrypt and load the SHELBYC2 backdoor into memory.
SHELBYC2: Advanced Backdoor with GitHub-based C2
The SHELBYC2 backdoor, once loaded, establishes persistence on the infected system and begins regular communication with the C2 server via GitHub API calls.
It can execute a range of commands, including file download and upload, PowerShell command execution, and even the ability to reflectively load additional .NET binaries.
Critically, the malware’s design incorporates a significant security flaw: the Personal Access Token (PAT) required for GitHub repository access is embedded within the binary.
This oversight potentially allows anyone who obtains the token to control infected machines or access victim data.
Campaign Analysis Reveals Sophisticated Targeting
The REF8685 campaign, responsible for deploying SHELBY, utilized highly targeted phishing emails sent from compromised accounts within victim organizations.
According to the Report, the attackers appear to have initially phished for cloud login credentials before leveraging internal email threads to deliver the malware.
Observed targets include an Iraq-based telecommunications company and potentially an international airport in the United Arab Emirates.
The attackers used a network of domains and servers, primarily hosted on Stark Industries infrastructure, to facilitate their operations.
While the use of GitHub for C2 operations demonstrates innovation, security researchers emphasize that this approach introduces significant risks.
The embedded PAT token could allow victims or third parties to take control of the malware infrastructure, highlighting a critical oversight in the malware’s design.
As the SHELBY malware family continues to evolve, organizations are advised to remain vigilant and implement robust security measures to detect and mitigate such sophisticated threats.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
