Security researchers at Trend Micro have uncovered a new watering hole campaign, which they dubbed “Operation Earth Kitsune” that uses a new variant of the SLUB malware. While in the past the previous versions of SLUB have been abusing Slack and GitHub (hence the name SLUB), the new variant employs an open-source online chat service called Mattermost.
In order to compromise websites to host malware the attackers behind Operation Earth Kitsune used a total of five command and control (C&C) servers, seven samples, and a slew of RCE and EoP vulnerabilities, including CVE-2019-5782 (Google Chrome), CVE-2020-0674 (Internet Explorer), CVE-2016-0189 (Internet Explorer) and CVE-2019-1458 (Microsoft Windows).
The campaign was discovered when the researchers noticed that the Korean American National Coordinating Council (KANCC) website was redirecting visitors to the Hanseattle website, which, in turn, redirected users to a malicious code for the CVE-2019-5782 Google Chrome vulnerability.
In addition to SLUB, which main goal was to exfiltrate system data, the hackers also deployed two new malware variants dubbed dneSpy and agfSpy that allowed them to gain additional control of the victim’s machine.
To keep track of its deployment the new SLUB variant used Mattermost. To do this the malware created a channel for each infected machine with all communication used HTTP in port 443.
“The Operation Earth Kitsune campaign remains very active and still relatively unknown due to the implementation of various techniques, such as security software checks during malware deployment, that are designed to hide the threat actors orchestrating the campaign,” the researchers said.
“We believe that a very capable group is behind the campaign, given the samples’ design and the number of deployed vectors. All compromised websites follow a common pattern in terms of the web tools used and the contextual content they contain. This relation is further backed by the commonalities in the organization types and the maintenance of the initial vectors that are deployed from the same related websites,” Trend Micro added.