What is the issue - Researchers from Trend Micro recently uncovered a new backdoor dubbed ‘SLUB’ that propagates via watering hole attacks.
What is a watering hole attack - Watering hole attack is a technique where attackers observe the websites frequently visited by targets, identifies the vulnerabilities associated with the websites, and injects malicious code into the website to infect the targets visiting the website.
How does it work?
Worth noting - Researchers observed that the SLUB backdoor was connecting to the Slack platform, a collaborative messaging system.
The first stage downloader also scans for antivirus software processes and then proceeds to exit if it does not detect anything.
The SLUB backdoor achieves persistence by adding a Run key to the Windows Registry. The backdoor also downloads a Gist snippet where the attackers can store the commands required for the malware to execute on compromised computers. Each compromised computer will execute the commands that are enabled in the gist snippet. The output of every command is sent to a private slack channel using the embedded tokens.
“We also noted a specific interest in a software called “Neologic Plus Board,” which seems to be used for the administration of bulletin board systems. Some of the files that the attackers retrieved contained hundreds of BBS URLs. We also noticed that most of the files uploaded to file.io were already deleted when we tried to retrieve them,” researchers noted in a blog