In a recent discovery by Elastic Security Labs, a highly sophisticated malware campaign named REF8685 has been identified, specifically targeting the Iraqi telecommunications sector. This campaign has been found to utilize a unique malware family known as SHELBY, which leverages GitHub for various malicious operations such as command-and-control (C2) functions, data exfiltration, and command retrieval.
The SHELBY malware family is comprised of two main components – SHELBYLOADER and SHELBYC2. These components work together in executing the attack chain, which starts with a phishing email containing a harmful attachment called details.zip. Once executed, this attachment installs multiple files in the %AppData%\Local\Microsoft\HTTPApi directory, including HTTPApi.dll (SHELBYC2) and HTTPService.dll (SHELBYLOADER).
It is important to note that SHELBYLOADER is equipped with various sandbox detection techniques to avoid detection and analysis. These techniques include WMI queries, process enumeration, file system checks, and disk size analysis. Additionally, SHELBYLOADER establishes persistence by creating an entry in the Windows Registry and generating a unique identifier for the infected machine based on system-specific information.
The innovative aspect of this malware campaign lies in its C2 infrastructure, which utilizes GitHub’s API. By utilizing a private repository and a Personal Access Token (PAT) embedded within the binary, the malware is able to authenticate and perform actions on the repository without the need for standard Git tools. The backdoor component, SHELBYC2, is loaded into memory using reflection after decryption with an AES key derived from a file downloaded from the C2 server. This component supports various commands, including file download, upload, and the ability to load additional .NET binaries reflectively.
Despite its innovative design, the C2 infrastructure of the malware campaign has a critical flaw – the PAT can potentially be accessed by unauthorized individuals, leading to the control of infected machines and access to sensitive data. This flaw exposes victims to additional risks and underscores the importance of robust email security measures and employee training to combat such advanced threats.
The REF8685 campaign employs sophisticated social engineering tactics, utilizing compromised internal email accounts to craft convincing phishing lures. In addition to targeting the Iraqi telecommunications sector, the attackers have also set their sights on other entities in the region, including an international airport in the United Arab Emirates.
Elastic Security Labs has taken proactive measures by releasing YARA rules to aid in the detection of SHELBY malware variants. Given the evolving nature of the malware, with signs of ongoing development and dynamic payload loading capabilities, future updates may address current vulnerabilities and expand its functionality.
This campaign serves as a stark reminder of the evolving tactics employed by threat actors and the critical need for continuous monitoring of network activities, employee training, and robust email security measures to defend against such advanced persistent threats. It underscores the importance of staying vigilant and proactive in the face of ever-evolving cyber threats.