A newly uncovered backdoor dubbed ‘Aclip’ that exploits the Slack API for clandestine conversations is being used by a suspected Iranian state-sponsored threat actor. The threat actor’s operations began in 2019 with the theft of aircraft reservation data from an undisclosed Asian airline. According to IBM Security X-Force, the threat actor is most likely ITG17, also known as ‘MuddyWater,’ a very active hacking gang that targets enterprises all over the world.
Because of its widespread use in the sector, Slack is an excellent medium for hiding harmful messages because the data blends in nicely with ordinary business traffic. Other performers have used this kind of abuse in the past, so it’s not a new technique. In this scenario, the Aclip backdoor uses the Slack API to communicate system information, files, and screenshots to the C2 in exchange for orders. In March 2021, IBM researchers discovered threat actors exploiting this communication channel and appropriately informed Slack.
Aclip is a recently discovered backdoor activated by running a Windows batch script called ‘aclip.bat,’ thus the name. The backdoor achieves persistence by adding a registry key and a file to an infected device. Aclip uses Slack API methods to accept PowerShell instructions from the C2 server, which it may then employ to run further tasks, provide images of the active Windows desktop, and exfiltrate data.
When it is initially executed, the backdoor captures basic system information, such as the hostname, username, and external IP address. This information is encoded in Base64 and sent to the threat actor. After then, Aclip connects to a new channel on the actor-controlled Slack workspace to start the command execution inquiry phase.
Screenshots are then taken with PowerShell’s visual library and stored to %TEMP% until they are exfiltrated. The photos are erased once they have been transferred to the C2. After investigating, IBM discovered two bespoke malware samples associated with the hacker organization MuddyWaters/ITG17.
“The investigation yielded two custom tools that correspond to malware previously attributed to ITG17, a backdoor ‘Win32Drv.exe,’ and the web shell ‘OutlookTR.aspx’,” clarifies IBM’s report.
“Within the configuration of Win32Drv.exe, is the C2 IP address 46.166.176[.]210, which has previously been used to host a C2 domain associated with the Forelord DNS tunneling malware publicly attributed to MuddyWater.”