The Shelby Strategy

SUMMARY :

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and uses GitHub for initial registration and key retrieval. SHELBYC2 communicates with the attacker's infrastructure using GitHub API, allowing for file uploads, downloads, and command execution. The campaign targets Iraqi telecommunications and potentially UAE airports, utilizing highly targeted phishing emails. Despite its sophistication, the malware's design has a critical flaw: anyone with the embedded Personal Access Token can control infected machines, exposing a significant security vulnerability.

OPENCTI LABELS :

phishing,c2,obfuscation,github,telecommunications,iraq,uae,shelbyloader,shelby,sandbox-detection,shelbyc2


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


The Shelby Strategy