Malware researchers at Trend Micro have spotted a new backdoor dubbed
According to the experts, the SLUB backdoor (Backdoor.Win32.SLUB.A) was only used in targeted attacks by sophisticated threat actors.
SLUB is the first piece of malware to actually leverage Slack for C2 communications.
Attackers carried out watering hole attacks to deliver the malware, the attacks observed by Trend Micro used as watering hole domain the kancc.org, a legitimate website of the Korean American National Coordinating Council. Attackers exploit the CVE-2018-8174 flaw, a VBScript engine vulnerability that was patched by Microsoft in May 2018.
The exploit code delivers a DLL file and runs it using PowerShell (first stage), it fetches and executes another file containing the actual backdoor.
The first stage code checks for the presence of various antivirus solutions (i.e. Avast, AVG, Bitdefender, Norton, ESTsoft, AhnLab and Qihoo 360) — and halt its execution if any of them are found. The downloader also exploits the CVE-2015-1701 Windows flaw to escalate privileges.
Once SLUB malware was installed on the target system, it checks specific GitHub pages to retrieve commands. When the malware executes commands, the results are posted to a private Slack channel under the control of the attackers. Experts discovered two hardcoded authentication tokens into the code of malware that allows controlling the Slack channel.
“Our technical investigation and analysis of the attacker’s tools, techniques, and procedures (TTP) lead us to think that this threat is actually a stealthy targeted attack run by capable
Trend Micro shared its findings with GitHub and Slack, both companies have taken action to remove the related files and channels.
SLUB supports several commands, including downloading and uploading files, listing files on the system, creating and removing folders, obtaining system information, taking screenshots, and performing registry operations.
Experts pointed out that the commands supported by the malware show a strong interest in person-related information of the attackers, with a special focus on communication software.
Experts at Trend Micro did not associate the malware with previously documented threat groups.
Evidence suggests the attackers were interested in targeting South Korean users (based on the watering hole domain), experts noticed that attackers appear to be particularly interested in files with the extension HWP, which are associated with a popular Korean word processor.
“Perhaps the most unique aspect of this campaign is that it makes use of three different online services to issue commands, get the results, and retrieve files from compromised hosts.” concludes the experts.
“Our investigation makes us believe with strong confidence that it was part of a possible targeted attack campaign. So far, we have not been able to find related attacks, and have not spotted the custom backdoor elsewhere.”