Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Iran-Linked APT Abuses Slack in Attacks on Asian Airline

The Iran-linked advanced persistent threat (APT) actor MuddyWater was observed deploying a backdoor that abuses Slack on the network of an Asian airline, IBM Security X-Force reports.

The Iran-linked advanced persistent threat (APT) actor MuddyWater was observed deploying a backdoor that abuses Slack on the network of an Asian airline, IBM Security X-Force reports.

Also referred to as MERCURY, Seedworm, Static Kitten, and ITG17, the hacking group is mainly focused on targets in the Middle East and other parts of Asia.

IBM X-Force discovered that MuddyWater managed to compromise the unnamed Asian airline’s network in October 2019, with the observed activity continuing in 2021 as well.

The adversary deployed a PowerShell backdoor called Aclip, which leverages a Slack messaging API for command and control (C&C) operations, including communication and data transmission, IBM’s security researchers note.

Given that in many instances multiple Iranian hacking groups gained access to the same victim’s environment, IBM X-Force notes that other adversaries might have been involved in this operation as well, especially with Iranian state-sponsored threat actors targeting the airline industry – mainly for surveillance purposes – for at least half a decade.

In the observed incident, a Windows Registry Run key was used to persistently execute a batch script that in turn runs a script file (the Aclip backdoor) using PowerShell. The malware, which receives commands via attacker-created Slack channels, can take screenshots, gather system information, and exfiltrate files.

By using Slack for communication purposes, the adversary ensures that the malicious traffic blends in with normal network traffic. The collaboration application has been abused for similar purposes by other malware families as well.

After being notified of the malicious activity, Slack launched an investigation into the matter and took down the reported Slack workspaces.

Advertisement. Scroll to continue reading.

“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.

Based on custom tools that were used in the attack, TTP overlaps, employed infrastructure, and MuddyWater’s previous targeting of the transportation sector, IBM’s researchers are confident that the threat actor is behind the activity.

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: ‘WIRTE’ Attacks Targeting Middle Eastern Governments Linked to Hamas Cyberspies

Related: Apparent Iran-Linked Hackers Breach Israeli Internet Firm

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights