Windows malware: Slub taps Slack, GitHub to steal your info

Slub malware operated without a single domain, exclusively using third-party services that leave little evidence.
Written by Liam Tung, Contributing Writer

Researchers at Trend Micro say they've found new malware that uses Slack channels, GitHub, and the file.io file-sharing site to steal data from Windows PCs. 

The previously unknown malware is part of a 'watering hole', a type of attack that involves compromising a website that's likely to be visited by an intended target group. 

The unnamed website in question would be of interest to people interested in "political activities", according to Trend Micro, which says this campaign kicked off in late February. 

The compromised site bumped each visitor just once to a malicious page that exploited CVE-2018-8174, a remote-code execution VBScript engine flaw that can be exploited via Internet Explorer. 

Microsoft patched the bug in May 2018, so any visitors running Windows without that patch may have been infected with 'Slub', Trend Micro's name for the malware, since the attacker relies on Slack and GitHub (SLack and githUB) to communicate with and steal data from an infected PC.

Trend Micro notes that once a target is infected, the initial malware downloads another set of files containing Slub, which then checks for the presence of antivirus software. 

If any is detected, it simply leaves and this appears to have kept it below the radar of any antivirus product until now, according to Trend Micro. 

The malware also exploits an even older Windows bug, CVE-2015-1705, a win32k.sys local elevation of privilege flaw that was found to be useful by targeted attackers because it could be used to bypass a Windows application's sandbox. 

Once a machine has been fully compromised, the backdoor uses a private Slack channel to check commands taken from 'gist' snippets hosted on GitHub, and then sends the commands to a private Slack channel controlled by the attacker.   

The infected machine also uploads targeted files to the file.io file-sharing website, from which the attacker picks up the stolen files.  

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Slub actors have a "strong interest in person-related information, with a special focus on communication software", according to Trend Micro researchers. 

The backdoor contains commands to compress the target's desktop folder and steal it. It also create a file containing the file tree of the user's desktop. And it seeks out offline data stored in Skype, as well as information about the user habits on Twitter, KakaoTalk, and BBS. Finally, it copies all .hwp files, the extension used by a Korean word-processing app.    

Trend Micro says it informed Canadian Centre for Cyber Security, which worked with the owner of the watering-hole site to remove the redirect malware. 

Slack has since shutdown the Slack Workspace that was being used by the attacker as a violation of its terms of service. GitHub has also removed the files from its service. 

"Our investigation makes us believe with strong confidence that it was part of a possible targeted attack campaign," Trend Micro researchers said

"The attackers also appear to be professionals, based on their way of handling their attack. They only use public third-party services and therefore did not need to register any domains or anything else that could leave a trail.

"The few email addresses we found during the investigation were also using trash email systems, giving the attackers a clean footprint. Finally, the watering hole chosen by the attackers can be considered interesting for those who follow political activities, which might give a glimpse into the nature of the groups and individuals that the attackers are targeting."


Trend Micro has identified the infection chain used by the Slub malware. 

Image: Trend Micro

Previous and related coverage

All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix

Researchers say Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits.

Microsoft security chief: IE is not a browser, so stop using it as your default

Internet Explorer is a 'compatibility solution' and should only be used selectively, warns Microsoft exec.

Google: Chrome zero-day was used together with a Windows 7 zero-day

Google reveals Windows 7 zero-day. Microsoft is working on a fix.

The Windows 10 security guide: How to safeguard your business

How do you configure Windows 10 PCs to avoid common security problems? There's no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here's what to watch out for.

Microsoft makes final push to rid world of Internet Explorer 10

Enterprise customers running Windows Server 2012 have one year to change from IE10 to IE11.

How virtualisation is changing Windows application security TechRepublic

Sandboxes, minimal processes, Hyper-V containers, Device Guard: virtualisation delivers a lot more than VMs in modern Windows.

7 security tips to stop apps from stealing your data CNET

We asked data privacy experts how to protect your personal information when downloading and using apps on your phone.

Editorial standards