Shelter project, a seller of a commercial AV/EDR stolen loader for penetration testing confirmed that hackers used their shelter elite product in attacks after a customer leaked a copy of the software.
The misconduct has been for several months and even though security researchers caught the activity in the wild, the shelter did not get a notification.
The seller underlined that this is the first known incident of misuse as it introduced its strict licensing model in February 2023.
Shelter said in a statement, “We came to know that a company that recently bought Shelter Elite License, had leaked its copy of software.”
“This violation was exploited to the malicious actors for harmful purposes, including delivery of infostealer malware.”
An update, which will not reach the “malicious customer”, has been released to address the issue.
Shelter Elite misbehaved in the wild
Shelter Elite is a commercial AV/EDR stolen loader used by security professionals (red teams and entry testers), which validly deploys EDR devices during security engagement to deploy payloads within the payload.
The product has static theft through polymorphism, and AMSI, ETW, Anti-Debug/VM check, call stack and module untoward avoidance, and dynamic runtime theft through decoy execution.
One in Report On July 3, Elastic Security Labs revealed that several danger actor Shelter Elite is misusing V11.0, which includes Radamantis, Lumma and Archclant 2 to deploy infosellers.
Elastic researchers determined the activity starting at least from April and the distribution method depended on YouTube comments and fishing emails.
Based on the unique license timestamps, the researchers envisaged that the actor was using a single leaked copy, which was later officially confirmed by Shelter.
Elastic has developed detections for V11.0-based samples, so the payloads prepared with that version of the shelter elite are now detected.
Shelter released the Elite version 11.1, which would only distribute it to the customers who leaked the previous version.
The seller called the lack of communication “careless and unprofessional” elastic, which was not telling them about their conclusions earlier.
“They knew about the issue for several months, but failed to inform us. Instead of cooperating to reduce the danger, they opted for withdrawing information to publish a stunning exposure – promoting public safety promotion” – – – – – – Shelter
However, the elastic gave the shelter a good sample to identify the derogatory customer.
The company apologized to its “loyal customers” and again confirmed that it does not cooperate with the cyber criminal, eager to cooperate with law enforcement when needed.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
