SLUB is delivered via watering hole attack using a multi-stage infection scheme. Malicious websites will drop and execute a DLL file on visiting devices by exploiting a VBScript vulnerability, CVE-2018-8174. This DLL file will first check for certain anti-virus processes on the system, terminating itself if any are present, before exploiting another vulnerability to escalate its privileges. It will then download and install the primary SLUB payload.
Once installed, SLUB will add new registry keys to maintain persistence before downloading its commands from a specific gist snippet. By default, SLUB has the following capabilities, although it appears to be able to load other modules for enhanced functionality:
- List and terminate processes.
- Download and execute commands.
- Download, list, copy, transfer, delete or execute files.
- Create and delete directories.
- Read, write or query registry keys.
- Take screenshots.
The results of any commands, including downloaded files or screenshots, are posted by SLUB to a private Slack workspace using a pair of embedded API tokens.
For further information:
Indicators of Compromise
SHA256 File Hashes