A threat group targeted an unnamed Asain airline with a previously unknown backdoor, which abused a feature in Slack to obfuscate operational communication, according to a new report. Researchers linked the activity to ITG17 (also known as MuddyWater), an Iran-linked nation-state group, known for targeting governments primarily in the Middle East and South Asia for espionage purposes.
Though researchers first observed the cyberattack in March, the malicious activity tracks back to October 2019, after the backdoor was first deployed. The backdoor, which is named “Aclip,” is written in PowerShell scripting language. In order to receive commands and send data, the backdoor used a legitimate functionality in the Slack messaging Application Program Interface (API), which allows apps and services to be developed that can be integrated with the messaging platform. Here, the attackers created a workspace and channels where they could receive system information, including requested files and screenshots, post commands to the backdoor and receive commands.
“The threat actor employed a variety of techniques to maintain access to the environment to avoid detection, including the abuse of legitimate services such as Slack through the use of the Aclip backdoor,” said Richard Emerson, senior analyst with IBM X-Force Threat Intelligence. “The threat actor leveraged compromised credentials to VPN into the environment, tunneled remote access tool traffic over non-standard ports, and had redundant access to the environment through the use of web shells on different servers, in case their other methods of access were discovered. Their job of maintaining access also got easier when they obtained domain admin privileges in the environment.”
It's unclear if the attackers were able to successfully exfiltrate data from the airline. However, researchers said shortly after the attack was discovered, files with the name “reservation management” were found on the threat actor’s command-and-control (C2) server. This could suggest a possibility that reservation data may have been accessed, with surveillance being a motivation for attackers, said Melisa Frydrych, researcher with IBM X-Force.
“If Iranian-sponsored actors have targeted and obtained data associated with flight reservations, the information could furnish Tehran’s decision makers with actionable and accurate data, potentially aiding in the tracking and interdiction of targeted individuals,” said Frydrych. “Also, at the time of the incident, Iran maintained thousands of advisors in conflict areas, and information about the movement of people may have helped to understand individuals who may seek to challenge Iran’s influence.”
"The ability to obfuscate malicious traffic using legitimate tools is not new, but the widespread use of tools such as Slack creates more opportunity for stealth."
While researchers said it’s unclear how the adversary was able to achieve initial access into the victim organization, the Aclip backdoor was initially downloaded by a Windows batch script (“aclip.bat”). The script was added to the Windows Registry Run key for persistence, so that it would launch upon system startup. Researchers found that the backdoor is capable of receiving and running additional PowerShell commands, including taking screenshots and uploading stolen files. Once executed, the backdoor would collect system data (hostname, username and external IP address, for instance) before sending the encrypted data to the Slack channel using the chat.postMessage API call.
“Aclip bears some high-level similarities with other tools developed by ITG17,” said Emerson. “This group has employed other PowerShell-based tools, and they have been known to abuse other legitimate services to host malicious payloads, so the use of Slack for C2 was new albeit not surprising given ITG17's history.”
Because Slack is a legitimate platform widely utilized by corporate environments, attackers were able to blend their malware traffic in order to avoid detection. Frydrych noted that attackers have previously leveraged Slack as a means for communication, as seen with the SlackShell and SLUB backdoors, and the C2Bot malware.
“These features make them compelling assets to adversaries who use them for communication and collaboration in their malicious operations,” said Frydrych. “The ability to obfuscate malicious traffic using legitimate tools is not new, but the widespread use of tools such as Slack creates more opportunity for stealth.”
In a statement, Slack encouraged people to review and enforce basic security measures, such as two-factor authentication (2FA): “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service,” according to Slack. “We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.”
The victimology here is part of a broader targeting by Iranian state-sponsored threat groups of airlines and other players in the transportation sector since 2017. Other threat actors targeting these types of organizations include the Iranian state-sponsored group Hive0016 (that shares campaign overlaps with APT33, Elfin, and Magnallium, according to X-Force researchers) and threat group ITG07 (also known as Chafer or APT39).
“X-Force has previously observed instances wherein multiple Iranian threat actors gained illegal access to the same victim(s), including ITG17,” said Frydrych. “This precedent, coupled with the length of the intrusion, resultant gaps in the data record, and outstanding questions concerning initial access and objectives, means that X-Force cannot rule out the possibility that additional threat actors might have been involved in this operation.”