loader gif

New backdoor ‘SLUB’ targets victims via watering hole attack

New backdoor ‘SLUB’ targets victims via watering hole attack
  • In this campaign, attackers have exploited the VBScript engine vulnerability (CVE-2018-8174) that was patched by Microsoft in May 2018.
  • Researchers observed that the SLUB backdoor was connecting to the Slack platform, a collaborative messaging system.

What is the issue - Researchers from Trend Micro recently uncovered a new backdoor dubbed ‘SLUB’ that propagates via watering hole attacks.

What is a watering hole attack - Watering hole attack is a technique where attackers observe the websites frequently visited by targets, identifies the vulnerabilities associated with the websites, and injects malicious code into the website to infect the targets visiting the website.

How does it work?

  • In this campaign, attackers have exploited the VBScript engine vulnerability (CVE-2018-8174) that was patched by Microsoft in May 2018.
  • After exploiting the vulnerability, it downloads a DLL and runs it in PowerShell.
  • The DLL then downloads and runs the second executable file that includes the SLUB backdoor.
  • The downloader also exploits the CVE-2015-1701 vulnerability to obtain Local Privilege Escalation.

Worth noting - Researchers observed that the SLUB backdoor was connecting to the Slack platform, a collaborative messaging system.

The first stage downloader also scans for antivirus software processes and then proceeds to exit if it does not detect anything.

SLUB backdoor

The SLUB backdoor achieves persistence by adding a Run key to the Windows Registry. The backdoor also downloads a Gist snippet where the attackers can store the commands required for the malware to execute on compromised computers. Each compromised computer will execute the commands that are enabled in the gist snippet. The output of every command is sent to a private slack channel using the embedded tokens.

“We also noted a specific interest in a software called “Neologic Plus Board,” which seems to be used for the administration of bulletin board systems. Some of the files that the attackers retrieved contained hundreds of BBS URLs. We also noticed that most of the files uploaded to file.io were already deleted when we tried to retrieve them,” researchers noted in a blog

.

loader gif