Researchers at Trend Micro say they've found new malware that uses Slack channels, GitHub, and the file.io file-sharing site to steal data from Windows PCs.
The previously unknown malware is part of a 'watering hole', a type of attack that involves compromising a website that's likely to be visited by an intended target group.
The unnamed website in question would be of interest to people interested in "political activities", according to Trend Micro, which says this campaign kicked off in late February.
The compromised site bumped each visitor just once to a malicious page that exploited CVE-2018-8174, a remote-code execution VBScript engine flaw that can be exploited via Internet Explorer.
Microsoft patched the bug in May 2018, so any visitors running Windows without that patch may have been infected with 'Slub', Trend Micro's name for the malware, since the attacker relies on Slack and GitHub (SLack and githUB) to communicate with and steal data from an infected PC.
Trend Micro notes that once a target is infected, the initial malware downloads another set of files containing Slub, which then checks for the presence of antivirus software.
If any is detected, it simply leaves and this appears to have kept it below the radar of any antivirus product until now, according to Trend Micro.
The malware also exploits an even older Windows bug, CVE-2015-1705, a win32k.sys local elevation of privilege flaw that was found to be useful by targeted attackers because it could be used to bypass a Windows application's sandbox.
Once a machine has been fully compromised, the backdoor uses a private Slack channel to check commands taken from 'gist' snippets hosted on GitHub, and then sends the commands to a private Slack channel controlled by the attacker.
The infected machine also uploads targeted files to the file.io file-sharing website, from which the attacker picks up the stolen files.
Slub actors have a "strong interest in person-related information, with a special focus on communication software", according to Trend Micro researchers.
The backdoor contains commands to compress the target's desktop folder and steal it. It also create a file containing the file tree of the user's desktop. And it seeks out offline data stored in Skype, as well as information about the user habits on Twitter, KakaoTalk, and BBS. Finally, it copies all .hwp files, the extension used by a Korean word-processing app.
Trend Micro says it informed Canadian Centre for Cyber Security, which worked with the owner of the watering-hole site to remove the redirect malware.
Slack has since shutdown the Slack Workspace that was being used by the attacker as a violation of its terms of service. GitHub has also removed the files from its service.
"Our investigation makes us believe with strong confidence that it was part of a possible targeted attack campaign," Trend Micro researchers said.
"The attackers also appear to be professionals, based on their way of handling their attack. They only use public third-party services and therefore did not need to register any domains or anything else that could leave a trail.
"The few email addresses we found during the investigation were also using trash email systems, giving the attackers a clean footprint. Finally, the watering hole chosen by the attackers can be considered interesting for those who follow political activities, which might give a glimpse into the nature of the groups and individuals that the attackers are targeting."
Previous and related coverage
Researchers say Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits.
Internet Explorer is a 'compatibility solution' and should only be used selectively, warns Microsoft exec.
Google reveals Windows 7 zero-day. Microsoft is working on a fix.
How do you configure Windows 10 PCs to avoid common security problems? There's no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here's what to watch out for.
Enterprise customers running Windows Server 2012 have one year to change from IE10 to IE11.
Sandboxes, minimal processes, Hyper-V containers, Device Guard: virtualisation delivers a lot more than VMs in modern Windows.
We asked data privacy experts how to protect your personal information when downloading and using apps on your phone.