SLUB Malware Description
The SLUB Malware is a backdoor threat written in the C++ language. Its name comes from the combination of Slack and GitHube, both legitimate services that were abused by the threat as part of its Command-and-Control infrastructure. SLUB abuses various vulnerabilities as an attack vector to gain access to the targeted computers. The attack chain is complex involving multiple-stages and payloads.
After exploiting a vulnerability as an access point successfully, a DLL file functioning as a loader is dropped onto the compromised device. This first-stage downloader is then run through PowerShell to deliver the actual SLUB Malware payload. The loader also performs a check for anti-malware programs installed on the targeted device by scanning it against a predefined list. If a match is found, the malware stops its execution.
Once fully deployed, the SLUB Malware gives significant control of the device to the hackers. They can then issue arbitrary commands to perform a wide range of threatening activities. SLUB can take screenshots, manipulate the file system, execute commands, list and terminate processes, and modify the computer's Registry.
SLUB Ditches Slack and GitHub and Now Exploits Mattermost
The latest SLUB version to be deployed in a water-hole style campaign no longer uses Slack or GitHub in its C2 structure. Instead, the hackers chose to abuse an open-source online chat service called Mattermost. This chat service is used as a way to keep track of the SLUB campaign by creating a separate channel for each infected victim.
The goal of the hackers is to compromise legitimate websites and force them to host and distribute malware. The campaign involves five different C2 servers and exploits four new vulnerabilities. Chrome users are redirected to a weaponized proof of concept version of the CVE-2019-5782 Google Chrome vulnerability, as well as a vulnerability that has not an assigned designation currently. Through the exploits, three separate malware payloads are dropped onto the targeted computer, one of which is the SLUB Malware. While the Chrome side of the attack campaign uses shellcode, PowerShell is used instead when it comes to Internet Explorer. The abused vulnerability is, of course, also different - CVE-2020-0674.