Researchers at IBM X-Force uncovered how the attack was carried out, stating that MuddyWater leveraged free workspaces on Slack. This allowed the group to cover up operational communications. They first observed this activity in October 2019 and named the malware Aclip. The cyberattack on the Asian airline took place in March of this year. X-Force researchers did not disclose the name of the airline. It is also unclear if MuddyWater extracted information from its victims. However, X-Force’s research suggests that the group “may have accessed reservation data.”
How Does Aclip Work?
The researchers claim that Aclip uses the Slack API to carry out its C2 (Command and Control) communications. APIs are interfaces that contain rules and functions that allow external programs to communicate with an application. Slack allows users to develop apps and other services that can be integrated with the platform. “In this instance, the threat actor created an actor-controlled Slack workspace and channels where they could receive system information, including requested files and screenshots; post commands to the backdoor; and receive commands in return,” IBM X-Force stated.
“Using Legitimate Messaging Platforms for Backroom Communications is Not New”
IBM X-Force claims that this type of activity, where the threat actor uses a legitimate messaging platform for operational communications, is not new. For many years the Internet Relay Chat (IRC) was a popular choice for botnet commands. Platforms such as Slack allow actors to “blend in malware traffic in a way that may go unnoticed by security analysts.” In fact, Aclip is not the first backdoor that utilizes Slack. X-Force also referred to other backdoors, such as SlackShell, SlackC2bot, and SLUB Backdoor.
Statement From Slack
Slack stated that it learned about MuddyWater’s activities on its workspaces from X-Force’s investigation. “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service. We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk.” The company also urged people to remain vigilant and follow basic security measures. This includes using two-factor authentication and ensuring that their operating system and antivirus software are up-to-date. “We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” it added.
