New SLUB Backdoor Uses Slack, GitHub as Communication Channels

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack.

The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++.

SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication."

The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

Windows exploits used to compromise targets in watering hole attacks

SLUB's masters added an exploit for the CVE-2018-8174 remote code execution vulnerability present the Windows VBScript engine and patched in May 2018 to a compromised website, allowing them to drop and launch the first stage in the form of a downloader camouflaged as a DLL file using PowerShell.

In addition, as detailed by Trend Micro in their analysis, "the watering hole chosen by the attackers can be considered interesting for those who follow political activities, which might give a glimpse into the nature of the groups and individuals that the attackers are targeting."

Once launched, the first stage downloader will check for anti-malware solutions on the compromised machine and will automatically exit if it detects any. This is most likely a precautionary measure implemented by the threat actors for future SLUB campaigns seeing that, as noted by Trend Micro, the malware was not detected by anti-malware products.

It will also download and immediately execute the second stage of the infection, the SLUB malware, and it also exploits the CVE-2015-1701 vulnerability in the Windows kernel-mode drivers to gain elevated privileges –uses a modified version of a publicly available exploit for the Win32k LPE vulnerability.

​

 

[Andy Ful]

Another example of sophisticated and dangerous attack, that can be easily prevented in the home environment, by simply blocking script Interpreters (PowerShell in this case). But, this attack is even more sophisticated because the malware was created to be undetected by good AVs, so most home users are protected, by the fact that they have installed a good AV.

 

[Vasudev]

Does it affect recently pulled repos? I just pulled in some day before yesterday! I used Linux.
Do you recommend disabling Powershell?
EDIT: I just disabled Powershell but I think ps1 scripts will still run no matter what I do!

 

[Andy Ful]

Does it affect recently pulled repos?
...

Did you mean Linux repositories? If so, then do not worry. This malware can attack Windows, not Linux.

EDIT: I just disabled Powershell but I think ps1 scripts will still run no matter what I do!

Most attacks are performed with Windows built-in PowerShell, and they will fail if you will disable PowerShell (also via .ps1 scripts). How did you disable PowerShell?

 

[Vasudev]

Did you mean Linux repositories? If so, then do not worry. This malware can attack Windows, not Linux.

Most attacks are performed with Windows built-in PowerShell, and they will fail if you will disable PowerShell (also via .ps1 scripts). How did you disable PowerShell?

Not Linux repos! I just pulled some updated info from Chef Koch's windows regtweaks to be applied on my machine with 19H1.
In Program & Features in CPL. You need to go App and Features in Settings App and it will switch over to control panel and you can disable Powershell 2.0 Core or entire PS. I felt powershell repalced cmd prompt for good but its an attack vector for stealth attacks.

 

[Andy Ful]

Not Linux repos! I just pulled some updated info from Chef Koch's windows regtweaks to be applied on my machine with 19H1.
In Program & Features in CPL. You need to go App and Features in Settings App and it will switch over to control panel and you can disable Powershell 2.0 Core or entire PS. I felt powershell repalced cmd prompt for good but its an attack vector for stealth attacks.

Up to Windows 10 ver. 1809 this did not disabled PowerShell - only using the very old version 2.0 is disabled, so PowerShell is fully functional. You wrote "Powershell 2.0 Core or entire PS" - are there two different options in Windows ver. 1903 (there is only one in ver. 1809)?

 

[Vasudev]

Up to Windows 10 ver. 1809 this did not disabled PowerShell - only using the very old version 2.0 is disabled, so PowerShell is fully functional. You wrote "Powershell 2.0 Core or entire PS" - are there two different options in Windows ver. 1903 (there is only one in ver. 1809)?

Its PS Core/Engine. I'm on 19H1 aka v1903. Doing that made Powershell to startup and exit faster than before.

 

[Andy Ful]

Its PS Core/Engine. I'm on 19H1 aka v1903. Doing that made Powershell to startup and exit faster than before.

View attachment 210265

It is not. It is only for PowerShell 2.0 Engine. Windows 10 can use PowerShell 2.0 engine (for compatibility), but normally uses PowerShell 5.1 Engine (or higher).

 

[Vasudev]

It is not. It is only for PowerShell 2.0 Engine. Windows 10 can use PowerShell 2.0 engine (for compatibility), but normally uses PowerShell 5.1 Engine (or higher).

Pure garbage by Microsoft. Damn!
Thanks for the info.