Full Report
Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software. [...]
Analysis Summary
# Tool/Technique: Shellter Elite
## Overview
Shellter is a red team tool used to obfuscate and modify legitimate executables, primarily for evading security controls. Its leaked versions are being abused by threat actors to deploy malware, specifically information stealers.
## Technical Details
- Type: Tool (Red Team/Malicious Payload Obfuscator)
- Platform: Windows (Implied, as it modifies executables)
- Capabilities: Obfuscation, modification of legitimate executables to carry secondary payloads. Versions V11.0 and V11.1 are mentioned in the context of misuse/updates.
- First Seen: Not explicitly stated for the initial tool, but misuse related to the leaked V11.0 occurred prior to the reporting date.
## MITRE ATT&CK Mapping
Since Shellter is an evasion/modification tool, the mappings below relate to its *use* in deploying malware:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
## Functionality
### Core Capabilities
- Modifying legitimate Windows executables to include malicious components (payloads).
- Used by threat actors to deploy information stealers post-exploitation or initial access.
### Advanced Features
- Obfuscation techniques effective enough to bypass traditional security measures (prior to specific security updates).
- The leaked version (V11.0) was used to craft adversarial payloads.
- New version (Elite v11.1) is distributed only to vetted customers.
## Indicators of Compromise
*Note: No specific IoCs for the payloads deployed *using* Shellter are detailed in the context, only that infostealers were deployed.*
- File Hashes: [N/A in context]
- File Names: [N/A in context, depends on the abused executable]
- Registry Keys: [N/A in context]
- Network Indicators: [N/A in context, depends on the deployed infostealer]
- Behavioral Indicators: [Payloads crafted using this tool carry secondary malware like infostealers]
## Associated Threat Actors
- Unknown threat actors abusing the leaked version of Shellter Elite V11.0.
## Detection Methods
- Elastic Security Labs developed detections specific to payloads created using **Shellter Elite v11.0**.
- Detection relies on identifying artifacts related to payloads created by this specific version.
## Mitigation Strategies
- Use security products updated to detect payloads generated by Shellter Elite v11.0.
- Developers of Shellter are moving to stricter distribution controls (v11.1 only to vetted customers).
## Related Tools/Techniques
- Information Stealers (the secondary payloads deployed).
- Other tools utilized for code obfuscation or payload delivery.
---
**Note on Contention:** The article highlights a dispute between Elastic Security Labs and Shellter regarding the timeline and communication around the sharing of samples used for detection development. Shellter emphasizes collaboration over "surprise exposés."