The developers behind a popular AV/EDR evasion tool have confirmed it is being used by malicious actors in the wild, while slamming a security vendor for failing to responsibly disclose the threat.
Shellter is used by professional red teams and pen testers to evade security tools while probing their clients’ attack surface.
However, like Cobalt Strike and other commercial tools of this sort, it is highly prized by threat actors.
Elastic Security Labs reported last week that a copy of Shellter Elite had been abused in this way, in attacks designed to deploy infostealers.
Read more on Shellter: Dragonfly 2.0 Attackers Probe Energy Sector
“Despite our rigorous vetting process – which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023 – we now find ourselves addressing this unfortunate situation,” the Shellter Project confirmed in a blog post responding to the Elastic research.
However, while thanking the search and cybersecurity company for providing samples to confirm the identity of the erring customer, Shellter also took aim at perceived “shortcomings” in how Elastic disclosed the incident.
“Elastic Security Labs chose to act in a manner we consider both reckless and unprofessional,” Shellter argued.
“They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé – prioritizing publicity over public safety.”
The Shellter Project claimed that this lack of disclosure meant that it almost unwittingly sent the malicious customer a new version of the product with enhanced runtime evasion capabilities. It said that the update was fortunately delayed for “unrelated personal reasons,” meaning the customer will never receive it.
“Ultimately, this situation highlights a troubling disconnect between Red Team and Blue Team research communities. Elastic chose spectacle over responsible disclosure, putting both their customers and the broader public at risk,” it claimed.
“While it’s true that we distribute this software, we do so through a rigorous vetting process. Had we been aware of any malicious use, we would have taken immediate action.”
Law enforcers have also been stepping in to keep pen testing tools out of the hands of threat actors.
Cobalt Strike developer Fortra said earlier this year that the long-running Operation Morpheus, led by the UK’s National Crime Agency (NCA), had helped to drive an 80% reduction in the number of copies observed in the wild.
Infosecurity has reached out to Elastic for further comment and will update this story accordingly.
No tags.
