- Elastic Security Labs recently reported of Shellter Elite being abused
- Someone leaked a license, allowing threat actors to abuse the pentesting tool
- Shellter Project released a patch to address the incidents
A popular commercial pentesting tool was being abused for months in malware delivery campaigns, thanks to a reckless, or possibly even malicious, customer.
Security researchers from Elastic Security Labs found threat actors abusing Shellter Elite, the premium version of SHELLTER, to deploy infostealers and bypass modern antivirus and EDR defenses.
“Elastic Security Labs is observing multiple campaigns that appear to be leveraging the commercial AV/EDR evasion framework, SHELLTER, to load malware,” the researchers said in their report.
“Reckless and unprofessional”
Shellter was originally designed for ethical red team operations, to be used for penetration testing. To obtain a copy, a company must reach out to Shellter and purchase a license. One of the clients seems to have leaked a copy of Shellter Elite v11.0, which was later picked up by malicious actors and abused in the wild.
This was subsequently confirmed by the Shellter Project, the tool’s vendor, who also slammed Elastic for keeping the knowledge about abuse a secret.
“Elastic Security Labs chose to act in a manner we consider both reckless and unprofessional. They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety,” the vendor said.
Once the cat was out of the bag, Shellter Project was able to do two key things: identify the (potentially) malicious company that leaked the tool and release a patch that would prevent future abuse. They also said a patch was in the pipeline already, and that they were lucky not to have released it sooner.
“Due to this lack of communication, it was sheer luck that the implicated customer did not gain access to our upcoming release. Had we not postponed the launch for unrelated personal reasons, they would have received a new version with enhanced runtime evasion capabilities—even against Elastic’s own detection mechanisms.”
The newest Elite version 11.1 will only be distributed to vetted customers, excluding the leaker.
Via BleepingComputer
