New Malware Loaders Hijack and SHELBBY Utilize Advanced Evasion Tactics

By /

Listen to this Post

Cybersecurity threats continue to evolve, with new malware loaders like Hijack and SHELBBY employing sophisticated techniques such as call stack spoofing and leveraging GitHub for command-and-control (C2) operations. These loaders are designed to bypass traditional security measures, making detection and mitigation more challenging for organizations.

You Should Know:

1. Call Stack Spoofing

Call stack spoofing manipulates the call stack to evade detection by security tools that analyze execution flow. Attackers use this to hide malicious activity within legitimate processes.

Detection Command (Linux):

sudo strace -p <PID> -s 999 -e trace=all

Windows Detection (PowerShell):

Get-Process | Where-Object { $_.Modules.ModuleName -match "malicious.dll" }

2. GitHub Abuse for C2

Attackers are increasingly using GitHub repositories to host malicious payloads or as a communication channel.

Monitor Suspicious GitHub Activity:

curl -s https://api.github.com/repos/<user>/<repo>/contents | grep -i "payload|malware"

Block Malicious Domains via Hosts File (Linux/Windows):

echo "0.0.0.0 github.com/malicious-repo" | sudo tee -a /etc/hosts

3. Analyzing Malware Loaders

Use YARA rules to detect Hijack/SHELBBY signatures:

rule SHELBBY_Loader {
meta:
description = "Detects SHELBBY loader"
strings:
$opcode = { 6A 40 68 00 30 00 00 6A 14 8D 91 }
condition:
$opcode
}

Scan with ClamAV:

clamscan -r --bell -i /path/to/suspicious/files

4. Mitigation Steps

  • Enable strict API monitoring for GitHub-related processes.
  • Use Sysmon for advanced Windows logging: 
    sysmon -accepteula -i sysmonconfig.xml
  • Deploy network-level blocking for known malicious IPs: 
    sudo iptables -A INPUT -s <malicious_IP> -j DROP

What Undercode Say

The rise of Hijack and SHELBBY highlights the need for behavior-based detection over signature-based methods. Security teams should:
– Monitor process hollowing (common in loaders): 

ps -ef | grep -i "unusual_process"

– Inspect memory artifacts with Volatility (Linux/Windows): 

volatility -f memory.dump --profile=Win10x64 pslist

– Implement strict egress filtering to block unauthorized GitHub connections.
– Use ELK Stack for centralized log analysis.

Expected Output:

  • Detection of spoofed call stacks.
  • Blocked C2 communications via GitHub.
  • Identified malicious processes and memory artifacts.

Reference URL: https://ift.tt/FpT2fB6

References:

Reported By: Hendryadrian Malware – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: