Guess who's addicted to GitHub, busy on Slack, stuck in 2015? No, not another hipster: It's the Slub backdoor malware

Panic, flee, cry – or just update Windows for fsck's sake

The GitHub mascot at GitHub Universe

A new malware strain tapped into GitHub posts and Slack channels to siphon precious data from infected Windows PCs, it is claimed.

Researchers at Trend Micro have dubbed the malware "Slub", a mash-up of the names of the two services the software nasty apparently used to obtain instructions from its masterminds and exfiltrate information from hijacked computers.

Trend's virus-hunters said they spotted at the end of last month Slub lurking on a compromised "watering hole," which is a website frequented by the sort of people you want to hack: if you wanted to pwn chip designers' workstations to steal their processor blueprints, for example, you'd hijack popular forums discussing semiconductor industry gossip.

As such a watering hole for folks interested in political activities – Trend didn't want to say further than that – was hacked by Slub's masters. The miscreants laced the webpages with malicious code to ultimately infect any vulnerable machines that visited with the malware. Windows boxes opening up a booby-trapped page in Internet Explorer were subjected to an exploit for CVE-2018-8174, a remote-code execution flaw in VBScript that was patched in May last year by Microsoft.

Those who did not install the Windows update for CVE-2018-8174, and visited the site, may have been infected with Slub, we're told. The exploit code fetched a tool that downloaded and ran the main Slub entity. If an antivirus package was detected on the computer, the malware refused to go any further. Along the way, the downloader exploited CVE-2015-1701, an elevation-of-privilege bug in the Windows kernel, patched in 2015 by Microsoft, that allowed Slub to completely take over the PC.

From there, a backdoor would be opened which allowed miscreants to covertly access, and send commands to, the machine. Here is where Slack came in, according to Trend. Once the malware established itself on a box, it went back to GitHub to obtain a list of commands stashed in a Gist post. Those instructions told the spyware to do things like capture screenshots, and gather hardware and system information, and then upload this swag to a Slack workspace controlled by the attacker. The commands could also tell the nasty to upload files from the infected PC, via the file.io sharing site, execute commands, fetch and run other software, and so on.

Hacker image

Psst, hackers. Just go for the known vulnerabilities

READ MORE

In short, GitHub list went in, Slack messages came out. The spyware then received further instructions, executed them, and reported back, via private channels in the Slack workspace, turning the instant-chat service effectively into a backdoor conduit. Trend said this is the first time it has ever seen Slack used in such a fashion. The miscreants relied on free services – GitHub, Slack and file.io – to operate, leaving no payment traces.

"The commands that the attackers ran clearly show a strong interest in person-related information, with a special focus on communication software, in an attempt to learn more about the people behind the computers they infected," said Trend researchers Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, and Joseph Chen on Thursday.

"The attackers also appear to be professionals, based on their way of handling their attack. They only use public third party services, and therefore did not need to register any domains or anything else that could leave a trail. The few email addresses we found during the investigation were also using trash email systems, giving the attackers a clean footprint.

"Finally, the watering hole chosen by the attackers can be considered interesting for those who follow political activities, which might give a glimpse into the nature of the groups and individuals that the attackers are targeting."

Due to the nature of the watering hole attack, and the use of Slack and GitHub in its operations, the Trend crew therefore believes Slub is part of a sophisticated, targeted campaign with a specific set of victims in mind.

"Our technical investigation and analysis of the attacker’s tools, techniques, and procedures (TTP) lead us to think that this threat is actually a stealthy targeted attack run by capable actors, and not a typical cybercriminal scheme," they wrote.

More technical details, including the Gist snippets and location, are in the afore-linked blog post. The primary Gist has been taken down, after Trend reported it to GitHub, and Slack has shut down the workspace.

"Trend Micro recently discovered a third party’s unauthorized access of another third party’s computer using malware, and reported to us the existence of a Workspace on Slack related to this effort," Team Slack said in a statement.

"We investigated and immediately shut down the single Workspace as a violation of our terms of service, and we confirmed that Slack was not compromised in any way as part of this incident. We are committed to preventing the misuse of our platform and we will take action against anyone who violates our terms of service."

Users and admins can protect themselves against the particular strain of malware by taking basic precautions including keeping their machines up to date with patches – remember, this spying nasty exploits holes addressed in 2015 and mid-2018 by Microsoft – and running a trusted antivirus package. ®

Sponsored: Beyond the Data Frontier




Biting the hand that feeds IT © 1998–2019