Shelma

Category: Malware

Type: Trojan

Platform: Windows

Variants: Win32/Shelma!MTB (a variant flagged by Microsoft's machine learning-based detection system), Trojan/Shelma (a 32-bit variant), Trojan.Win64.Shelma (a 64-bit variant)

Damage potential: Data theft, surveillance, remote device access and control, keylogging, and data exfiltration.

Overview

Shelma is a type of trojan primarily designed for spying and data theft. Shelma monitors user activity by capturing keystrokes, taking screenshots, and tracking active applications. The stolen information is then sent to the attacker through email, FTP, or HTTP. Shelma can also tamper with system files and settings, which may lead to slower performance, system crashes, and other issues.

In more advanced cases, attackers can fully manage a victim’s device without their knowledge. Shelma is also hard to spot because it evades detection by disabling security tools and altering system settings to avoid sandbox or virtual machine environments. Most Shelma attacks are profit-driven because cybercriminals often use Shelma to steal credit card information, online banking credentials, and other sensitive data for illegal gain.

Possible symptoms

Possible symptoms of a Shelma infection include:

• Slow system performance.
• Sudden system crashes.
• Changes in settings (this may involve disabled security features).
• Unexplained outgoing emails or messages.
• Unusual browser behavior (you might start seeing many pop-up ads).
• Presence of unknown files (files you didn’t download or install yourself).
• Increased CPU or memory usage.

Sources of the infection

The sources of infection for Shelma are similar to those of many trojans and can include:

• Phishing links. If you have clicked on a malicious link or malvertising or opened an unsafe attachment, you may unknowingly download Shelma. This risk also applies to phishing emails, SMS messages, or messaging apps.
• Drive-by downloads. Users may accidentally download Shelma when they visit a compromised website. 
• Exploiting cybersecurity vulnerabilities. Shelma may infect a device by exploiting security vulnerabilities in the Windows operating system or in browsers. 
• Fake updates. Shelma can disguise itself as a legitimate update for your software or browser.
• Compromised software. You may unknowingly download Shelma by installing software from untrusted sources that contain the malware.
• Infected documents. Shelma can be embedded in scripts within ZIP files or other document formats.
• Removable drives. Shelma can spread through removable drives via autorun files.

Protection

To protect your device, always accept update notifications from your antivirus software or any malware protection app on your device. Additionally, consider these measures to safeguard your device and personal information even further:

• Regularly update your software. Shelma is known to target security vulnerabilities. Keep your software updated to protect your devices from the latest cybersecurity threats. 
• Download updates and software from trusted sources. Only use official and reliable sources for downloads.
• Enable multi-factor authentication (MFA). While multi-factor authentication itself can’t prevent a Shelma infection, it can help protect your accounts even if Shelma steals your passwords.
• Be wary of phishing emails. Shelma can spread via phishing and spam emails. If you get an email that sounds off or urges you to click on a link, act with caution.
• Stay alert while browsing. Hackers may use malicious ads or create fake websites that look legitimate to spread Shelma and other trojans. Pay close attention to the websites you visit, and be cautious about the links you click on.
• Use NordVPN’s Threat Protection Pro. Tools like NordVPN’s Threat Protection Pro can block access to known malicious sites, adding an additional layer of protection while browsing online.

Shelma removal

Removing Shelma from a Windows device might seem tricky, but it’s doable with the right tools. Follow this step-by-step guide to ensure you eliminate all traces of the malware:

1. 1.Open Microsoft Defender, Windows’ built-in antivirus software, go to “Virus & threat protection,” and select “Full scan.” The step will check your computer for threats, including Shelma.
2. 2.If Shelma is detected, Microsoft Defender will prompt you to quarantine or remove the infected files. Make sure you follow the prompts to remove the malware completely.
3. 3.(Optional) If you’re still having trouble, restart your computer in safe mode (press F8 while starting your PC). Safe mode disables most unnecessary processes, making it easier to spot malware.
4. 4.After removing Shelma, run a final full system scan to confirm your computer is clean.

If you're still facing issues, consider seeking professional help to ensure full removal.