New SLUB Backdoor Uses Slack, GitHub as Communication Channels

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack.

The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++.

SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication."

The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

Windows exploits used to compromise targets in watering hole attacks

SLUB's masters added an exploit for the CVE-2018-8174 remote code execution vulnerability present the Windows VBScript engine and patched in May 2018 to a compromised website, allowing them to drop and launch the first stage in the form of a downloader camouflaged as a DLL file using PowerShell.

In addition, as detailed by Trend Micro in their analysis, "the watering hole chosen by the attackers can be considered interesting for those who follow political activities, which might give a glimpse into the nature of the groups and individuals that the attackers are targeting."

Once launched, the first stage downloader will check for anti-malware solutions on the compromised machine and will automatically exit if it detects any. This is most likely a precautionary measure implemented by the threat actors for future SLUB campaigns seeing that, as noted by Trend Micro, the malware was not detected by anti-malware products.

It will also download and immediately execute the second stage of the infection, the SLUB malware, and it also exploits the CVE-2015-1701 vulnerability in the Windows kernel-mode drivers to gain elevated privileges –uses a modified version of a publicly available exploit for the Win32k LPE vulnerability.

The SLUB backdoor achieves persistence by adding a Run key to the Windows Registry and then will download a Gist snippet where the attackers store the commands they want the malware to execute on compromised computers.

Trend Micro's researchers also noted that, by choosing to use Gist snippets to issues commands to the SLUB backdoor, the attackers effectively gave up on being able to personalize the commands for each specific victim, hinting that the campaign was designed as a data extrusion and collection operation, with no intents of designing a custom abuse process for each of the infected targets.

Whatever results SLUB gets after executing the commands found in the Gist snippet will be exfiltrated to a Slack channel, within a specific workspace.

On the other hand, the malware is also being used to pack up the victim's Desktop folder contents and the local Skype archive –among other data– and uploaded to a File.io cloud storage space controlled by the bad actors behind this malicious campaign.

Trend Micro also said that "Our technical investigation and analysis of the attacker’s tools, techniques, and procedures (TTP) lead us to think that this threat is actually a stealthy targeted attack run by capable actors, and not a typical cybercriminal scheme."

Additionally, "we have not been able to find related attacks, and have not spotted the custom backdoor elsewhere. We have been searching for similar samples and have found none so far, which is a strong indication that the attackers either developed the malware or got it from a private developer who has not publicly leaked it."

 

Following Trend Micro Cyber Safety Solutions Team's report, GitHub disabled the account hosting the Gist snippets utilized to send commands to the SLUB malware, while Slack shut down the workspace used in the attack to exfiltrate the commands' results.

Slack also issued the following statement:

As noted in their post, Trend Micro recently discovered a third party’s unauthorized access of another third party’s computer using malware, and reported to us the existence of a Workspace on Slack related to this effort. We investigated and immediately shut down the single Workspace as a violation of our terms of service, and we confirmed that Slack was not compromised in any way as part of this incident. We are committed to preventing the misuse of our platform and we will take action against anyone who violates our terms of service.

Backdoors allow more and more actors to operate covertly

Backdoors are increasingly popular during 2019, with three instances of such malware being used to target Windows devices by employing old backdoors targeting LinkedIn users and malspam campaigns designed to exploit the recently discovered WinRAR vulnerability.

Bad actors also developed new backdoor Trojans which targets servers running macOS and six different Linux distributions to drop XMRig miners used to surreptitiously mine for Monero (XMR) coins.

Apart from this, a new vulnerability dubbed Cloudborne was discovered in bare metal servers by the Eclypsium Research Team, allowing potential attackers to add backdoor implants in the Baseboard Management Controller firmware.

These malicious implants survive client reassignment in bare metal and as well as general cloud services according to the researchers who discovered the security flaw and its exploitation method, leading to a variety of attack scenarios.