Posted on August 17, 2023 at 6:03 PM

Hackers Are Hiding Malware Within Legitimate Services Such As Slack And Trello

A recent analysis revealed that out of over 400 malware families deployed in the last two years, over a quarter of them exploited legitimate web services as part of the infrastructure. These malicious exploits allowed the hackers to remain undetected and made it more challenging for security tools to defend networks.

Hackers hide malware in Slack and Trello

Hackers always seek ways to abuse legitimate web services to run their campaigns. One of the most popular techniques is blending these campaigns within popular applications to avoid detection.

An analysis conducted by Recorded Future’s Insikt Group classified different types of malware used to abuse these services and how this malware was used. The analysis aims to assist those tasked with defending networks to understand how the services are used and abused within the existing environments.

The researchers also noted that an effective defense mechanism against the abuse of legitimate internet services needed a better approach. There was also a need to understand how the abuse of these services happened across different malware categories and hacker groups.

One of the analysts involved in the research, Julian-Ferdinand Vogele, said, “Using this knowledge helps in determining which services to flag or block, developing detection strategies, proactively identifying services susceptible to abuse, and employing advanced behavioral detections, all while balancing an organization’s security and operational requirements.”

Cloud storage platforms usually record the highest level of abuse. The other services susceptible to such campaigns include email services, messaging apps, and social media platforms. Pastebin, Google Drive, and Dropbox are also abused.

However, Telegram is the most common service abused in these campaigns. Discord also followed suit. According to the researchers, Telegram and Discord are free services largely used within victim environments and the cybercriminal ecosystem. According to the researchers, the high usage of these services made them difficult to block, and they also boasted user-friendly and easy-to-use APIs.

The other messaging platforms that hackers also abuse include Slack, which is being used as a command and control platform by hackers. According to the analysis, social media platforms were also the fourth-most abused category of services.

One targeted platform is Steam, a video game sales and community platform by Valve. Steam partnered with Telegram to deploy the Vidar Stealer, according to a writeup by Emerging Threats. Emerging Threats noted that it was vital for users to have the option of sharing information through their profiles.

Russian hackers attributed to a recent campaign

The threat actors running campaigns through Slack are linked to the Russian Foreign Intelligence Service (SVR). In January, a report by Recorded Future noted that a hacker group traced as BlueBravo/APT29/Nobellium was relying on Notion to conduct its operations.

Hackers were abusing the Notion API to perform command and control communications using malware known as GraphicalNeutrino. The malware supported the delivery of more malware and the sage of a database feature on the platform to store information about the victim and stage payloads used for downloads.

APT29 is a Russian-backed threat actor notorious for conducting cyber espionage campaigns. The group has previously been detected to use the Trello project management software with malware supporting data gathering and exfiltration on targets and delivering malware to these targets. The group has also conducted hacking campaigns against Google Drive and Dropbox.

The data also said that infostealers were also garnering interest. Infostealers are designed to steal login credentials, financial data, and other personal details to secure compromised networks and accounts access. The researchers said that 37% of the infostealer malware families abusing the services were detected by Recorded Future.

According to researchers, infostealers were a key feature within the evolving cybercrime ecosystem. These tools require minimal infrastructure and are sold in cybercrime forums to operators that do not have the necessary technical expertise. The easy infrastructure process setup is a significant selling point to other cybercriminals.

However, the researchers also said that the lack of in-depth analysis into the abuse conducted on these services made comprehensive conclusions challenging. Nevertheless, positive indicators showed that this abuse level was increasing, including a rapid pace of innovation by state-sponsored hacking groups. The innovation includes malware updates to support functionality across different services.

According to the researchers, there was an expected increase in the use of sophisticated infrastructure and methods. They also expect a continuation of advanced persistent threat actor groups leading in this domain, which might later impact less-sophisticated hackers.