The threat actor behind the SLUB backdoor has started abusing a recently patched Internet Explorer vulnerability for distribution purposes, Trend Micro’s security researchers reveal.
To distribute the malware, its operators have been using a unique watering hole website targeting CVE-2018-8174, a VBScript engine vulnerability. While the distribution method remained the same, the attackers also added to their portfolio an exploit for CVE-2019-0752, an Internet Explorer vulnerability patched in April 2019.
“Coincidence or not, both websites that have delivered the SLUB malware are supportive of the North Korean government,” Trend Micro notes.
Initially detailed in March this year, SLUB stood out because of its use of GitHub and Slack for command and control (C&C) communication purposes. In the meantime, the backdoor’s operators have updated it to use Slack only, it appears.
The threat now heavily relies on Slack via two free workspaces for communication purposes. A collaborative messaging system, Slack lets users create channels, similar to the Internet relay chat (IRC) system.
According to Trend Micro, Slack has been informed on the abuse of workspaces for SLUB communication and has already taken action to shut them down.
During the infection stage, a SLUB loader is delivered to vulnerable systems. The infection chain is similar to that of previous malware iterations, but different techniques are used to bypass antivirus heuristics and machine learning algorithms.
PowerShell is used for delivery, Rundll32 is used to invoke a malicious DLL, and export symbols following the Windows Naming Convention are used, along with an actual Windows API name. Based on the architecture of the system, either CVE-2019-0808 (for x86) or CVE-2019-0803 (for x64) is exploited for privilege escalation.
The loader also checks the architecture of the system to decide which version of the SLUB malware to download and execute.
“All the exploits, loaders, and SLUB malware were directly hosted on watering hole websites,” Trend Micro reveals.
Once a system is infected, it joins the attacker’s Slack workspace, where a separate channel named <use_name>-<pc_name> is created. C&C communication is performed exclusively via these Slack channels, including command delivery.
The malware binary also includes two hardcoded Slack binaries, used to query the Slack API for metadata information, including team info, user list, and channel list. The attacker’s workspace has been active since at least the end of May and one of the users had their time zone set to Korea Standard Time, Trend Micro explains.
To send commands to an infected machine, the operator posts and pins a message to the corresponding channel. The victim machine then reads the command, executes it, and, if it was instructed to take a screenshot, responds by uploading the screenshot and sharing the link to the file.
“Once again, this attack shows a professional level when it comes to the OpSec deployed. The constant use of online services like Slack, cock.li, and pen.io makes it harder to track this threat actor,” Trend Micro notes.
The malware hasn’t spread widely, which has so far allowed it to remain discreet. This also suggests that it is being used only to target specific individuals who visit that specific watering hole website.