Trend Micro researchers say they found a new malware that uses Slack channels, GitHub, and file.io to steal data from Windows PCs. The malware is called Slub and is part of a ‘watering hole’, which is a type of attack that consists of compromising a website that is probably visited by the target group.
The unknown website in question would be of interest to people interested in “political activities,” says Trend Micro. The campaign was supposed to have started at the end of February, according to ZDNet.
Infiltrate
The website sent every visitor once to a rogue website that abused CVE-2018-8174, a remote code execution VBScript engine vulnerability that can be abused via Internet Explorer. The vulnerability was closed by Microsoft in May 2018. People running Windows without that patch may be infected with Slub.
If someone is infected, the first malware downloads another set of files with Slub, which then checks for antivirus software. If that is the case, the malware simply leaves. It seems that the malware has flown under the radar of many antivirus products for the time being.
The malware also abuses an older Windows bug, CVE-2015-1705. This is a vulnerability that was used by attackers because it could be used to get around a Windows application sandbox.
Operation
Once a machine is fully infiltrated, the back door uses a private channel on Slack to control commands coming from ‘yeast’ chips on GitHub. Next, the commands are sent to a private channel on Slack that is controlled by the attacker.
The infected machine also uploads files to the file.io website, where it is possible to share files. The attacker removes the stolen files from there. Slub attackers have a “strong interest in person-related information, with a special focus on communication software,” according to Trend Micro researchers.
The back door also contains commands to compress and steal a target’s desktop directory. In addition, it creates a file with the file tree from the user’s desktop, and searches for offline data stored in Skype and information about the user’s habits on Twitter, KakaoTalk and BBS. Finally, it copies all .hpp files, an extension used by a Korean word processing app.
Measures
Trend Micro says it informed the Canadian Centre for Cyber Security. That center worked with the owner of the watering hole website to remove the redirect to the malware. Slack has closed down the Workspace used by the attacker, due to a violation of his general terms and conditions. GitHub has removed the files from its service.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.
6 hours ago
