SHELBY Malware Steals Data by Abusing GitHub as Command-and-Control Server

Elastic Security Labs has uncovered a sophisticated malware campaign, dubbed REF8685, targeting the Iraqi telecommunications sector.

The campaign utilizes a novel malware family called SHELBY, which abuses GitHub for command-and-control (C2) operations, data exfiltration, and command retrieval.

Novel Malware Family Targets Iraqi Telecommunications Sector

The SHELBY malware family consists of two main components: SHELBYLOADER and SHELBYC2.

The attack chain begins with a phishing email containing a malicious attachment (details.zip) that, when executed, installs several files in the %AppData%\Local\Microsoft\HTTPApi directory.

These files include HTTPApi.dll (SHELBYC2) and HTTPService.dll (SHELBYLOADER).

SHELBYLOADER employs various sandbox detection techniques to evade analysis, including WMI queries, process enumeration, file system checks, and disk size analysis.

Once executed, it establishes persistence by adding an entry to the Windows Registry and generates a unique identifier for the infected machine based on system-specific information.

Innovative C2 Infrastructure Leverages GitHub API

The malware’s C2 infrastructure is built around GitHub’s API, using a private repository and a Personal Access Token (PAT) embedded within the binary.

This allows the malware to authenticate and perform actions on the repository without using standard Git tools.

SHELBYC2, the backdoor component, is loaded into memory using reflection after being decrypted with an AES key derived from a file downloaded from the C2 server.

It supports various commands, including file download, upload, and the ability to reflectively load additional .NET binaries.

While innovative, the C2 design has a critical flaw: anyone with access to the PAT can potentially control infected machines or access sensitive data, exposing victims to additional risks.

The REF8685 campaign demonstrates sophisticated social engineering tactics, leveraging compromised internal email accounts to craft highly convincing phishing lures.

The attackers have also targeted other entities in the region, including an international airport in the United Arab Emirates.

Elastic Security Labs has released YARA rules to help detect SHELBY malware variants.

As the malware shows signs of ongoing development, including unused code and dynamic payload loading capabilities, future updates may address current vulnerabilities and expand its functionality.

This campaign highlights the evolving tactics of threat actors and the importance of robust email security, employee training, and continuous monitoring of network activities to defend against such advanced persistent threats.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.