Connect with us

Hi, what are you looking for?



SLUB Backdoor Spreads via Newly Patched Vulnerability

The threat actor behind the SLUB backdoor has started abusing a recently patched Internet Explorer vulnerability for distribution purposes, Trend Micro’s security researchers reveal.

The threat actor behind the SLUB backdoor has started abusing a recently patched Internet Explorer vulnerability for distribution purposes, Trend Micro’s security researchers reveal.

To distribute the malware, its operators have been using a unique watering hole website targeting CVE-2018-8174, a VBScript engine vulnerability. While the distribution method remained the same, the attackers also added to their portfolio an exploit for CVE-2019-0752, an Internet Explorer vulnerability patched in April 2019.

“Coincidence or not, both websites that have delivered the SLUB malware are supportive of the North Korean government,” Trend Micro notes.

Initially detailed in March this year, SLUB stood out because of its use of GitHub and Slack for command and control (C&C) communication purposes. In the meantime, the backdoor’s operators have updated it to use Slack only, it appears.

The threat now heavily relies on Slack via two free workspaces for communication purposes. A collaborative messaging system, Slack lets users create channels, similar to the Internet relay chat (IRC) system.

According to Trend Micro, Slack has been informed on the abuse of workspaces for SLUB communication and has already taken action to shut them down.

During the infection stage, a SLUB loader is delivered to vulnerable systems. The infection chain is similar to that of previous malware iterations, but different techniques are used to bypass antivirus heuristics and machine learning algorithms.

Advertisement. Scroll to continue reading.

PowerShell is used for delivery, Rundll32 is used to invoke a malicious DLL, and export symbols following the Windows Naming Convention are used, along with an actual Windows API name. Based on the architecture of the system, either CVE-2019-0808 (for x86) or CVE-2019-0803 (for x64) is exploited for privilege escalation.

The loader also checks the architecture of the system to decide which version of the SLUB malware to download and execute.

“All the exploits, loaders, and SLUB malware were directly hosted on watering hole websites,” Trend Micro reveals.

Once a system is infected, it joins the attacker’s Slack workspace, where a separate channel named <use_name>-<pc_name> is created. C&C communication is performed exclusively via these Slack channels, including command delivery.

The malware binary also includes two hardcoded Slack binaries, used to query the Slack API for metadata information, including team info, user list, and channel list. The attacker’s workspace has been active since at least the end of May and one of the users had their time zone set to Korea Standard Time, Trend Micro explains.

To send commands to an infected machine, the operator posts and pins a message to the corresponding channel. The victim machine then reads the command, executes it, and, if it was instructed to take a screenshot, responds by uploading the screenshot and sharing the link to the file.

“Once again, this attack shows a professional level when it comes to the OpSec deployed. The constant use of online services like Slack,, and makes it harder to track this threat actor,” Trend Micro notes.

The malware hasn’t spread widely, which has so far allowed it to remain discreet. This also suggests that it is being used only to target specific individuals who visit that specific watering hole website.

Related: Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...