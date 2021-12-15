IBM Security X-Force has observed a state-sponsored adversary using a new backdoor that utilizes Slack to attack airline organizations. The adversary leveraged free workspaces on Slack, a legitimate messaging and collaboration application likely to obfuscate operational communications, allowing malicious traffic, or traffic with underlying malicious intent, to go unnoticed.

While it was clear that a threat actor leveraged free workspaces on Slack in this attack, based on the tools, tactics, and infrastructure observed on the network from 2019 to 2021, we assess with moderate confidence that the threat actor that we track as ITG17 (a.k.a. MuddyWater), a suspected Iranian nation-state group, conducted the attack.

The malicious activity was noted in early October 2019 and likely started with the deployment of a backdoor written in the PowerShell scripting language which X-Force named ‘Aclip’. Aclip conducts C2 utilizing the Slack messaging Application Program Interface (API) to receive commands and send data. X-Force also observed malicious activity on the network prior to 2019; however, due to the disparate nature of the activity, we could not determine if it was related.

IBM Security X-Force has followed responsible disclosure protocols and notified appropriate entities regarding this operation.

In response to this discovery, Slack stated:

As detailed in this post, IBM X-Force has discovered, and is actively tracking, a third party that is attempting to use targeted malware leveraging free workspaces in Slack. As part of the X-Force analysis, we were made aware of free workspaces being used in this manner.

We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service. We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.

Slack encourages people to be vigilant and to review and enforce basic security measures, including the use of two-factor authentication, ensuring that their computer software and anti-virus software is up to date, creating new and unique passwords for every service they use, and exercising caution when interacting with people they don’t know.