- Elastic Security Laboratories Recently reported that Shellter Elite was abused
- Someone leaked a license which allowed threat actors to abuse the pentesting tool
- Shellter Project released a patch to tackle the events
A popular commercial pentesting tool was abused for months in malware delivery campaigns thanks to a reckless or possibly even malicious customer.
Security researchers from Elastic Security Labs found threat players who abused the Shellter Elite, the Premium version of Shellter, to implement infosteals and bypass modern antivirus and EDR defense.
“Elastic Security Laboratories are observing several campaigns that seem to take advantage of the commercial AV/EDR fraud, Shellter, to load malware,” the researchers said in their report.
“Ruthless and unprofessional”
Shellter was originally designed for ethical red team operations to be used for penetration tests. To get a copy, a company must reach the shellter and buy a license. One of the clients seems to have leaked a copy of the Shellter Elite V11.0, which was later picked up by malicious actors and abused in nature.
This was subsequently confirmed by the Shellter project, the tool’s supplier, which also threw elastic to keep knowledge of abuse a secret.
“Elastic security laboratories chose to act in a way we consider both ruthless and unprofessional. They were aware of the question for months, but failed to notify us. Instead of working to mitigate the threat, they chose to withhold the information to publish a surprise exposure – prioritize publicity over public security,” the supplier said.
When the cat was out of the bag, the Shellter Project was able to do two important things: identify the (potentially) malicious company that leaked the tool and release a patch that would prevent future abuse. They also said that a patch was already in pipeline and that they were lucky not to have released it before.
“Due to this lack of communication, it was pure luck that the involved customer did not have access to our upcoming release. If we had not postponed the launch of non -related personal reasons, they would have received a new version with improved run -time -divorcing functions -even against Elastic’s own detection mechanisms.”
The latest elite version 11.1 will only be distributed to monitored customers, excluding the leak.
Via Bleeping computer
