In March 2021, IBM Security X-Force observed an attack on an Asian airline that we assess was likely compromised by a state-sponsored adversary using a new backdoor that utilizes Slack. The adversary leveraged free workspaces on Slack, a legitimate messaging and collaboration application likely to obfuscate operational communications, allowing malicious traffic, or traffic with underlying malicious intent, to go unnoticed. It is unclear if the adversary was able to successfully exfiltrate data from the victim environment, though files found on the threat actor’s command and control (C2) server suggest the possibility that they may have accessed reservation data.
While it was clear that a threat actor leveraged free workspaces on Slack in this attack, based on the tools, tactics and infrastructure observed on the network from 2019 to 2021, we assess with moderate confidence that the threat actor that we track as ITG17 (aka MuddyWater), a suspected Iranian nation-state group, compromised the network.
The malicious activity was noted in early October 2019 and likely started with the deployment of a backdoor written in the PowerShell scripting language, which X-Force named ‘Aclip’. Aclip conducts C2 utilizing the Slack messaging Application Program Interface (API) to receive commands and send data. X-Force also observed malicious activity on the network prior to 2019; however, due to the disparate nature of the activity, we could not determine if it was related.
IBM Security X-Force has followed responsible disclosure protocols and notified appropriate entities regarding this operation.
In response to this discovery Slack stated:
As detailed in this post, IBM X-Force has discovered, and is actively tracking, a third party that is attempting to use targeted malware leveraging free workspaces in Slack. As part of the X- ..
Support the originator by clicking the read the rest link below.
