Posted on March 9, 2019 at 7:25 AM
According to researchers at Trend Micro, they recently discovered a new malware that uses GitHub, Slack channels and file.io to steal information from users via Windows PCs. Further investigation uncovered that the malware is part of something known as a “watering hole” that involves jeopardizing a website that is known to be visited by specific target audiences.
The website in question, which will remain unnamed would serve the “interest” of those persons who are politically inclined, especially seeing that the malware was discovered sometime in February.
The suspicious website took only one attempt to push each visitor to a harmful page that took advantage of CVE-2018-8174, a remote-code execution VBScript engine loophole that can be used through Internet Explorer.
On May 18, 2018, Microsoft managed to patch the bug, so it’s likely that any visitor running a Windows operating system without that specific patch may have been infected. The malware has been called “Slub” by Trend Micro, seeing that in order to steal data from a compromised pc, the attacker depends on GitHub and Slack.
What Harm Can It Cause?
Trend Micro pointed out that once a user is infected, another group of files containing Slub is downloaded by the initial malware, which also runs checks to detect the presence of an antivirus. If one is identified, the malware leaves and it this is how it managed to stay hidden until now.
However, the problems don’t end there because attackers can use the malware to exploit an older Windows bug CVE-2015-1705, which is actually a win32k.sys local elevation of privilege weakness. This one was chosen specifically because it had the ability to sidestep a Windows application’s sandbox.
After fully jeopardizing a pc, the backdoor exploits a private Slack channel is used to inspect commands that were stolen from “gist” snippets that are hosted by GitHub, then those commands are sent to another private Slack channel that is monitored by the attacker.
What Can it Steal?
Specific files are then uploaded by the compromised pc to file.io, a file-sharing site when the attacker is able to pick them up. It has overly zealous interest in personal information with special attention given to communication software.
In addition to taking advantage of Slack channels, the back door also has commands that are able to target the desktop folder, compress it and steal it. It then creates a file tree of the desktop and from there, hunts for offline information stored on Twitter, Skype, BBS, and KakaoTalk. Lastly, it uses an extension that is used by a Korean word-processing app to copy all .hwp files.
Trend Micro indicated that they escalated the issue to the Canadian Centre for Cyber Security, who partnered with the owner of the watering hole in an attempt to get rid of the malware.
The Slack Workspace has been shut down by Slack seeing that the terms of service were violated by the attacker. GitHub followed soon after and removed the files from its service platform.
The Trend Micro team said they strongly believe that it was part of a potential targeted attack campaign. They continued by saying that these attackers are not amateurs based on how the attack was coordinated. They eliminated any chance of anything being traced back to them by using only public third-party apps.