The previously unknown malware is part of a 'watering hole', a type of attack that involves compromising a website that's likely to be visited by an intended target group.
The unnamed website in question would be of interest to people interested in "political activities", according to Trend Micro, which says this campaign kicked off in late February.
The compromised site bumped each visitor just once to a malicious page that exploited CVE-2018-8174, a remote-code execution VBScript engine flaw that can be exploited via Internet Explorer.
Microsoft patched the bug in May 2018, so any visitors running Windows without that patch may have been infected with 'Slub', Trend Micro's name for the malware, since the attacker relies on Slack and GitHub (SLack and githUB) to communicate with and steal data from an infected PC.
Trend Micro notes that once a target is infected, the initial malware downloads another set of files containing Slub, which then checks for the presence of antivirus software.
If any is detected, it simply leaves and this appears to have kept it below the radar of any antivirus product until now, according to Trend Micro.
The malware also exploits an even older Windows bug, CVE-2015-1705, a win32k.sys local elevation of privilege flaw that was found to be useful by targeted attackers because it could be used to bypass a Windows application's sandbox.
Once a machine has been fully compromised, the backdoor uses a private Slack channel to check commands taken from 'gist' snippets hosted on GitHub, and then sends the commands to a private Slack channel controlled by the attacker.
The infected machine also uploads targeted files to the file.io file-sharing website, from which the attacker picks up the stolen files.
Slub actors have a "strong interest in person-related information, with a special focus on communication software", according to Trend Micro researchers.
The backdoor contains commands to compress the target's desktop folder and steal it. It also create a file containing the file tree of the user's desktop. And it seeks out offline data stored in Skype, as well as information about the user habits on Twitter, KakaoTalk, and BBS. Finally, it copies all .hwp files, the extension used by a Korean word-processing app.
Trend Micro says it informed Canadian Centre for Cyber Security, which worked with the owner of the watering-hole site to remove the redirect malware.
Slack has since shutdown the Slack Workspace that was being used by the attacker as a violation of its terms of service. GitHub has also removed the files from its service.
"Our investigation makes us believe with strong confidence that it was part of a possible targeted attack campaign," Trend Micro researchers said.
"The attackers also appear to be professionals, based on their way of handling their attack. They only use public third-party services and therefore did not need to register any domains or anything else that could leave a trail.
"The few email addresses we found during the investigation were also using trash email systems, giving the attackers a clean footprint. Finally, the watering hole chosen by the attackers can be considered interesting for those who follow political activities, which might give a glimpse into the nature of the groups and individuals that the attackers are targeting."
How do you configure Windows 10 PCs to avoid common security problems? There's no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here's what to watch out for.