SLUB Backdoor

First discovered in early 2019 by TrendMicro, SLUB is a modular C++ based backdoor that uses the GitHub Gist service and Slack messaging application as part of its command and control infrastructure.

SLUB is delivered via watering hole attack using a multi-stage infection scheme. Malicious websites will drop and execute a DLL file on visiting devices by exploiting a VBScript vulnerability, CVE-2018-8174. This DLL file will first check for certain anti-virus processes on the system, terminating itself if any are present, before exploiting another vulnerability to escalate its privileges. It will then download and install the primary SLUB payload.

Once installed, SLUB will add new registry keys to maintain persistence before downloading its commands from a specific gist snippet. By default, SLUB has the following capabilities, although it appears to be able to load other modules for enhanced functionality:

  • List and terminate processes.
  • Download and execute commands.
  • Download, list, copy, transfer, delete or execute files.
  • Create and delete directories.
  • Read, write or query registry keys.
  • Take screenshots.

The results of any commands, including downloaded files or screenshots, are posted by SLUB to a private Slack workspace using a pair of embedded API tokens.

For further information:

Indicators of Compromise

URLs

  • kancc[.]org
  • gist.github[.]com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a

SHA256 File Hashes

  • 3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7
  • 43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: