Suspected Iranian hackers target airline with new backdoor

The attack was performed by abusing the Slack workspace application.
Written by Charlie Osborne, Contributing Writer

A suspected, state-sponsored Iranian threat group has attacked an airline with a never-before-seen backdoor. 

On Wednesday, cybersecurity researchers from IBM Security X-Force said an Asian airline was the subject of the attack, which likely began in October 2019 until 2021.  

The advanced persistent threat (APT) group ITG17, also known as MuddyWater, leveraged a free workspace channel on Slack to harbor malicious content and to obfuscate communications made between malicious command-and-control (C2) servers. 

"It is unclear if the adversary was able to successfully exfiltrate data from the victim environment, though files found on the threat actor's C2 server suggest the possibility that they may have accessed reservation data," IBM says. 

The Slack messaging Application Program Interface (API) was abused by a new backdoor deployed by the APT named "Aclop." Aclip is able to harness the API to both send data and receive commands – with system data, screenshots, and files sent to an attacker-controlled Slack channel. 

Overall, three separate channels were used by the backdoor to quietly exfiltrate information. Once installed and executed, the backdoor collected basic system data including hostnames, usernames, and IP addresses which were then sent to the first Slack channel after encryption. 

The second channel was utilized to check for commands to execute, and the results of these commands – such as file uploads – were then sent to the third Slack workspace. 

While a new backdoor, Aclip is not the only malware known to abuse Slack – which should be of note to enterprise teams as the tool is valuable for those now often working from home or in hybrid setups. Golang-based Slack C2bot also leverages the Slack API to facilitate C2 communications, and the SLUB backdoor uses authorized tokens to talk to its C2 infrastructure.

In a statement, Slack said, "We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service."

"We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards