A suspected Iranian state-sponsored hacker group has been found deploying a new backdoor called “Aclip” that uses the workplace messaging app Slack for covert command-and-control communications.
As per IBM Security X-Force, the threat actor’s activity started in 2019 and targeted an unnamed Asian airline. Based on the tools, tactics and infrastructure observed on the network fr om 2019 to 2021, the researchers have linked the attack to the suspected Iranian nation-state group tracked as ITG17 (aka MuddyWater).
The malicious activity was spotted in early October 2019 and likely started with the deployment of Aclip, a backdoor written in PowerShell, which is able to receive commands and send data using the Slack messaging Application Program Interface (API).
“Using a legitimate platform for C2 such as Slack, which is widely used across corporate environments, gives actors an opportunity to blend in malware traffic in a way that may go unnoticed by security analysts,” the researchers explained.
The X-Force team said they were unable to determine if the threat actor was able to successfully exfiltrate data from the victim environment, although files found on the advisory’s C2 server suggest that they may have accessed reservation data.
In the observed attack, the hackers created an actor-controlled Slack workspace and channels wh ere they could receive system information, including requested files and screenshots, post commands to the backdoor, and receive commands in return.
During the analysis, the researchers discovered that Aclip was initially executed via a Windows batch script named ‘aclip.bat,’ which was also added to the Windows Registry Run key, allowing it to persist across reboots and launch upon system startup. Upon first execution, the backdoor collects basic system information, including hostname, username, and the external IP address. This data is encrypted with Base64 and exfiltrated to the threat actor.
Aclip is also able to capture screenshots using PowerShell’s graphics library. The screenshots are then saved to the %TEMP% directory, and once they are uploaded to the threat actor’s server, the files are deleted from the directory.
“The ability to obfuscate malicious traffic using legitimate tools is not new, but the widespread use of tools such as Slack creates more opportunity for stealth,” the X-Force team said. “With a wave of businesses shifting to a permanent or wide adoption of a remote workforce, continuing to implement messaging applications as a form of group production and chat, X-Force assesses that these applications will continue to be used by malicious actors to control and distribute malware undetected.”