New SLUB Backdoor Uses GitHub, Communicates via Slack
(Mar 7, 2019)
A watering hole attack has been observed by Trend Micro researchers that exploits a VBScript engine vulnerability, registered as "CVE-2018-8174," to infect users with the backdoor "SLUB." If the user is infected, a multi-stage infection process begins to initially check what antivirus software is running on the machine, and will exit the process if it finds the machine has one of the seven antivirus processes. If not, the downloader tries to exploit the Windows vulnerability, "CVE-2015-1701," to obtain local privilege escalation. The final payload installed is the "SLUB" backdoor which uses both Slack and Github to communicate with the Command and Control (C2) server and receive commands.
Recommendation: Many campaigns often rely upon known vulnerabilities within the Windows operating system. Always keep your systems patched with the latest fixes from Microsoft. Microsoft typically releases new security fixes every Tuesday ("Patch Tuesday"). Users should have updates installed automatically, so they do not forget or delay when these critical patches are available. Put update policies in place for users of Windows, Mac, and Linux.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.