New backdoor SLUB uses watering hole attack to target victims

The researchers from Trend Micro recently discovered a new backdoor called as ‘SLUB’ that propagates via watering hole attacks, a technique where attackers observe the websites frequently visited by targets, identify the website's vulnerabilities, and inject malicious code into the website to infect the targets visiting the website.

The attackers have exploited the VBScript engine vulnerability (CVE-2018-8174) that was patched by Microsoft in May 2018. After exploiting the vulnerability, it downloads a DLL and runs it in PowerShell. After that, the DLL downloads and runs the second executable file has a sneaky SLUB backdoor. The downloader also exploits the CVE-2015-1701 vulnerability to obtain Local Privilege Escalation.

It is reported that the SLUB backdoor was connecting to the Slack platform, a collaborative messaging system. It scans for anti-virus software processes and if it doesn't deduct anything, it proceeds to attacks, else it exits.

It adds a run key to the Windows Registry, hence it persists. It also downloads a Gist snippet where the attackers can store the commands required for the malware to execute on compromised computers. Each compromised computer will execute the commands that are enabled in the gist snippet. The output of every command is sent to a private slack channel using the embedded tokens.