[Trend Micro](https://www.trendmicro.com/) [About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) [Home » Malware » SLUB Gets Rid of GitHub, Intensifies Slack Use](https://blog.trendmicro.com/trendlabs-security-intelligence/) # SLUB Gets Rid of GitHub, Intensifies Slack Use [Posted on:July 16, 2019 at 5:01 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2019/07/) [Posted in:Malware, Vulnerabilities](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) Author: [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) [0](https://blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use/#respond) **_by Cedric Pernet, Elliot Cao, Jaromir Horejsi, Joseph C. Chen, William Gamazo Sanchez_** Four months ago, we exposed an attack that leveraged a previously unknown malware that Trend Micro named [SLUB. The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-](https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/) 8174, a VBScript engine vulnerability. It used GitHub and Slack as tools for communication between the malware and its controller. On July 9, we discovered a new version of SLUB delivered via another unique watering hole website. This malicious site used CVE-2019-0752, an Internet Explorer vulnerability [discovered by Trend Micro’s Zero](https://www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer) Day Initiative (ZDI) that was just [patched this April. This is the first time we found this exploit used in the](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0752) wild. This new version of the SLUB malware has stopped using GitHub as a way to communicate, heavily using Slack instead via two free workspaces. Slack is a collaborative messaging system that lets users create and use their own workspaces through the use of channels, similar to the internet relay chat (IRC) system. Slack has since shut down the relevant Workspaces. Coincidence or not, both websites that have delivered the SLUB malware are supportive of the North Korean government. **_Infection chain_** The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE2018-8174 or CVE-2019-0752. A victim browsing the websites with an unpatched Internet Explorer browser will be infected with a SLUB loader. Listed below are the steps that the exploit script performs to execute the loader. The infection chain is similar to the previous iteration of SLUB; however, this version employs different techniques to bypass AV heuristics and machine learning algorithms: ----- dll name: mfcm14u.dll) downloaded from watering hole website. The malicious DLL implements export symbols following the Windows Naming Convention and uses actual Windows API name: AfxmReleaseManagedReferences. Note that this combination of naming conventions could help the attackers to bypass ML algorithms. _Figure 1. PowerShell script to download and launch SLUB loader_ The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded. The malicious DLL files are actually the SLUB loader. In case of a x86 system, a 32-bit SLUB loader will be downloaded and [CVE-2019-0808, a relatively new vulnerability patched in March, will](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808) be used. In a x64 system, a 64-bit SLUB loader will be downloaded and [CVE-2019-0803, another new](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803) vulnerability patched in April, will be leveraged. Both are exploited for privilege escalation on Windows. Then, the loader will check the architecture of the system to decide if it will download and use either the x86 version or x64 version of the SLUB malware to infect the victim. All the exploits, loaders, and SLUB malware were directly hosted on watering hole websites. _Figure 2. Infection chain of SLUB malware_ _Fi_ _3 T_ _ffi P tt_ _f SLUB_ _l_ _i f_ _ti_ _h i_ ----- Since we published out last report on SLUB, the backdoor has been updated and several improvements were implemented. The most notable change is the complete adoption of Slack as an avenue to organize victim machines and give commands. Here are the changes in detail: Github is not used anymore Operator creates a Slack workspace Each infected machine joins the workspace, a separate channel named - is created in the workspace Command and control (C&C) communication only uses these Slack channels; if the operator wants to execute a command on an infected machine, he inserts a message to a victim-specific channel and pins this message Victim machine reads pinned messages from its dedicated channel, parses the message, and executes the requested command Aside from these changes we also found new information from two Slack tokens we found hardcoded into binary (similar to the previous version). These tokens can be used to query the Slack API for some metadata information, such as team info, user list, channel list (which in this case would be the victims). Investigating this information reveals that, at the time of this research, the workspace has been active since at least the end of May and one of the users had their time zone set to “Korea Standard Time.” When checking both token response headers, we can see the following difference in OAuth scopes: C&C token: Notify token: The C&C token contains “admin” in its OAuth scope, which allows it to “administer your workspace.” If the operator needs to change these tokens, then he can update them by updating the content of the toni132[.]pen[.]io webpage. The source code of this webpage is parsed for certain keywords: HELLO^, _WHAT^, !!!._ If the desired keywords are found, tokens are parsed out and updated: ----- **_Command communication_** In detail, the communication works as follows: If the operator (one of the users from user list) wants to send a command to the victim, he posts and pins a message onto the corresponding channel. The text value of the message specifies which command should be executed. The example below shows a “capture” command for taking screenshot, pinned to a certain channel by an operator. The command for listing files in a given directory may look like the following: And listing all files on the victim’s desktop may look like the following: ----- The victim machine then reads the command, executes it, and (in the case of taking a screenshot) it responds by uploading the screenshot and sharing the link to the file. Notice the “upload” value is set to “true.” Other supported commands are exec, dnexec, capture, file, drive, reg, and tmout, which are similar to the ones we described in our previous post on SLUB. In the case of running a command, the command output results are uploaded to file.io, the same as in the previous post. During this attack, we found that the SLUB malware used two Slack teams “sales-yww9809” and “marketing-pwx7789.” The workspaces creation time is unknown. Inside team sales-yww9809, it contained two users, Lomin (lomio8158@cumallover[.]me) and Yolo (yolo1617@cumallover[.]me) who were both created on the same day (May 23, 2019). Lomin’s timezone was GMT time and mentioned Africa/Monrovia, while Yolo’s was Korea Standard Time and mentioned Asia/Seoul. The other team, marketing-pwx7789, also has two users named Boshe (boshe3143@firemail[.]cc) and Forth (misforth87u@cock[.]lu). They were also created on the same day (April 17, 2019). And similar to previous one, Boshe has the timezone set in Africa/Monrovia with GMT while Forth is in Asia/Seoul with Korea Standard Time. These email addresses used a free encrypted email service; we could not find additional information on those usernames. **_Conclusion_** Once again, this attack shows a professional level when it comes to the OpSec deployed. The constant use of online services like Slack, cock.li, and pen.io makes it harder to track this threat actor. Similar to the previous variant, this one has been very discreet and has not been spread at a wide scale. We could not find any other variant anywhere else, nor did we find any other ongoing campaign run by these attackers. We are once again confident that this attack targets specific individuals visiting that particular watering hole, with surveillance as a highly probable final goal. In response to this incident, Slack replied with the following: _As noted in their previous post, and detailed further in this new post, Trend Micro has discovered, and_ _is actively tracking, a third party that is attempting to use targeted malware known as SLUB, and_ _which attempts to use Slack related to this effort. As part of the Trend Micro investigation, we were_ _made aware of free workspaces being used in this manner. We investigated and immediately shut down_ _the reported Slack Workspaces as a violation of our terms of service. We confirmed that Slack was not_ _compromised in any way as part of this incident. We are committed to preventing the misuse of our_ _platform and we will take action against anyone who violates our terms of service_ [Trend Micro Deep Security customers are protected by the following rules:](https://www.trendmicro.com/en_ph/business/products/hybrid-cloud/deep-security.html) ----- 8174) 1009655-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-20190752) 1009647-Microsoft Windows GDI Elevation Of Privilege Vulnerability (CVE-2019-0803) 1009582-Microsoft Windows Win32k Elevation Of Privilege Vulnerability (CVE-2019-0808) **_Indicators of compromise_** **SHA 256** **Attribution** **Filename** Ac7d144df013fdd784afec0532b8928c73983eb8edfb72 Cve-2018-8174 Board_main.php 7f1a184ff2ad1edb67 09a450e31dd9b11f5b1b7b770fef9f361e0aac84c232d4 Cve-2019-0752 Board_main.php 329e5751f827541f90 Thumb 482a8e66b49372269f204afcd3abca8cc0f73d61b65ccc Slub loader (cve 403720952_ax14pavm_image1 a0981addf17d720f58 2019-0808) 4.jpg 20c807d48fecbe04672250c37b4585b3433e8e4b6205b Slub loader (cve- 637155112_zlwxf13b_eab192a e963e0b36d87c1e68ed 2019-0808) a14.jpg Thumb c9933e93cae1261d0f935e1fee95238cb70a776e9689bb Slub loader (cve 403720952_ax14pavm_image1 a9c28a67d9dc74b1f3 2019-0803) 3.jpg d118fd11d0d048193f5c3e13773082c2deed203279c96 Slub loader (cve- 637155112_zlwxf13b_eab192a 1cddc5ed4ba60a75665 2019-0803) a13.jpg Thumb 4b0650f4ddf3c4e182eea8a0d03fd44d5e76ed1d822839 Slub malware (x32) 403720952_ax14pavm_image1 49ddf7cb467495990d 6.jpg 4ff9f6f67c9f330e6afd32762f3d40ffea8651206c3cf935 Slub malware (x32) [637155112_zlwxf13b_eab192a] fc94e57ef9f34190 a16.jpg Thumb 5dd2e2d59eb54e4a7b1756ca7a6c1e4ce0551ac793cf87 Slub malware (x64) 403720952_ax14pavm_image1 91211c7c81fb644561 5.jpg C6352f9940ccf205879fcddfc69b18dfe39272689b859c Slub malware (x64) [637155112_zlwxf13b_eab192a] ad3b5399a8fe37e9a3 a15.jpg 8b576ae94749984fe294b96b77e28b7f5007934da5368 Slub malware (x64) [637155112_zlwxf13b_eab192a] 9a37ea09cf7971177a3 a17.jpg -----