SLUB is being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once.
The infection was done by exploiting CVE-2018-8174.
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.
Second, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found.
The downloader, which runs through PowerShell as a DLL, serves several purposes. The first is to download the second stage malware, which we called the SLUB (for SLack and githUB; detected as Backdoor.Win32.SLUB.A) backdoor and execute it. The second purpose is to check if the following antivirus processes are running:
If the downloader finds one of these, it simply exits.
Finally, the downloader also exploits the CVE-2015-1701 vulnerability to acquire Local Privilege Escalation. The exploit’s code was likely created by modifying code from a GitHub repository.
The SLUB backdoor
The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).
The malware also embeds two authorization tokens to communicate with the Slack API.
The result of the commands is then posted to a private Slack channel in a particular workspace using the embedded tokens.
Note that a side effect of this particular setup is that the attacker has no way to issue commands to a specific target. Each infected computer will execute the commands that are enabled in the gist snippet upon checking it.
Indicators of Compromise
|Malware Hash (MD5/SHA1/SH256)||626a3a68a2cc2a91c1ece1eed7610c8a |