The Iran-linked advanced persistent threat (APT) actor MuddyWater was observed deploying a backdoor that abuses Slack on the network of an Asian airline, IBM Security X-Force reports.
Also referred to as MERCURY, Seedworm, Static Kitten, and ITG17, the hacking group is mainly focused on targets in the Middle East and other parts of Asia.
IBM X-Force discovered that MuddyWater managed to compromise the unnamed Asian airline’s network in October 2019, with the observed activity continuing in 2021 as well.
The adversary deployed a PowerShell backdoor called Aclip, which leverages a Slack messaging API for command and control (C&C) operations, including communication and data transmission, IBM’s security researchers note.
Given that in many instances multiple Iranian hacking groups gained access to the same victim’s environment, IBM X-Force notes that other adversaries might have been involved in this operation as well, especially with Iranian state-sponsored threat actors targeting the airline industry – mainly for surveillance purposes – for at least half a decade.
In the observed incident, a Windows Registry Run key was used to persistently execute a batch script that in turn runs a script file (the Aclip backdoor) using PowerShell. The malware, which receives commands via attacker-created Slack channels, can take screenshots, gather system information, and exfiltrate files.
By using Slack for communication purposes, the adversary ensures that the malicious traffic blends in with normal network traffic. The collaboration application has been abused for similar purposes by other malware families as well.
After being notified of the malicious activity, Slack launched an investigation into the matter and took down the reported Slack workspaces.
“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.
Based on custom tools that were used in the attack, TTP overlaps, employed infrastructure, and MuddyWater’s previous targeting of the transportation sector, IBM’s researchers are confident that the threat actor is behind the activity.
Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign
Related: ‘WIRTE’ Attacks Targeting Middle Eastern Governments Linked to Hamas Cyberspies
Related: Apparent Iran-Linked Hackers Breach Israeli Internet Firm