The cybersecurity researchers at Trend Micro have discovered A new malware strain tapped into GitHub posts and Slack channels. Dubbed Slub by researchers; the malware works by exploiting a VBScript engine vulnerability that is classified as CVE-2018-8174 (patched by Microsoft last year).
By doing so, the malware can compromise authentic, genuine websites and redirect the visitors to a fake page. When visitors land on that page, a malicious DLL is downloaded and executed in PowerShell on their devices after which another executable is downloaded to install the final payload, a backdoor.
In their report, Trend Micro researchers explained that the malware scans the infected device for installed anti-virus programs and if there are any, it immediately exits the system. However, anti-virus programs cannot detect the backdoor as of now.
The malware can extract valuable data from compromised devices, mainly Windows PCs. Researchers stat that Slub has been named so because of the two services that the malware utilizes to obtain instructions from the attackers and exfiltrates data from infected computers.
The malware was identified last month on a compromised watering hole website that’s frequently visited by the kind of people who are hacking worthy such as chip designers who are a potential target to steal processor blueprints. The masterminds behind Slub compromised the webpages with malicious code to hijack all the machines that visited those pages. Users who haven’t installed the Windows update for CVE-2018-8174 and end up visiting the compromised webpage(s) could have been infected by Slub.
Through the backdoor, the attackers can secretly access the device to send commands and after establishing it on a box, the malware goes back to GitHub for obtaining the list of commands from the Gist post. There are commands like instructing the spyware to send hardware and system information, capturing screenshots, and upload it to a Slack workspace that is in control of the attacker.
Furthermore, there are commands in the list to instruct the malware for uploading files from the infected device through file.io sharing website, download and run other software and execute miscellaneous commands. The malware basically turns the Slack workspace into a backdoor conduit, which is the very first time that the researchers have observed. Slack hasn’t been used in this way before, said the researchers Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, and Joseph Chen.
“The watering hole chosen by the attackers can be considered interesting for those who follow political activities, which might give a glimpse into the nature of the groups and individuals that the attackers are targeting,” said researchers.
“The attackers also appear to be professionals, based on their way of handling their attack. They only use public third party services, and therefore did not need to register any domains or anything else that could leave a trail. The few email addresses we found during the investigation were also using trash email systems, giving the attackers a clean footprint” researchers added.