“Aclip bears some high-level similarities with other tools developed by ITG17,” said Emerson. Once executed, the backdoor would collect system data (hostname, username and external IP address, for instance) before sending the encrypted data to the Slack channel using the chat.postMessage API call. Researchers found that the backdoor is capable of receiving and running additional PowerShell commands, including taking screenshots and uploading stolen files.
Intrepid nation decipher chat windows#
The script was added to the Windows Registry Run key for persistence, so that it would launch upon system startup. While researchers said it’s unclear how the adversary was able to achieve initial access into the victim organization, the Aclip backdoor was initially downloaded by a Windows batch script (“aclip.bat”). "The ability to obfuscate malicious traffic using legitimate tools is not new, but the widespread use of tools such as Slack creates more opportunity for stealth."
“Also, at the time of the incident, Iran maintained thousands of advisors in conflict areas, and information about the movement of people may have helped to understand individuals who may seek to challenge Iran’s influence.” “If Iranian-sponsored actors have targeted and obtained data associated with flight reservations, the information could furnish Tehran’s decision makers with actionable and accurate data, potentially aiding in the tracking and interdiction of targeted individuals,” said Frydrych.
This could suggest a possibility that reservation data may have been accessed, with surveillance being a motivation for attackers, said Melisa Frydrych, researcher with IBM X-Force. However, researchers said shortly after the attack was discovered, files with the name “reservation management” were found on the threat actor’s command-and-control (C2) server. It's unclear if the attackers were able to successfully exfiltrate data from the airline. Their job of maintaining access also got easier when they obtained domain admin privileges in the environment.” “The threat actor leveraged compromised credentials to VPN into the environment, tunneled remote access tool traffic over non-standard ports, and had redundant access to the environment through the use of web shells on different servers, in case their other methods of access were discovered. “The threat actor employed a variety of techniques to maintain access to the environment to avoid detection, including the abuse of legitimate services such as Slack through the use of the Aclip backdoor,” said Richard Emerson, senior analyst with IBM X-Force Threat Intelligence. Here, the attackers created a workspace and channels where they could receive system information, including requested files and screenshots, post commands to the backdoor and receive commands.
In order to receive commands and send data, the backdoor used a legitimate functionality in the Slack messaging Application Program Interface (API), which allows apps and services to be developed that can be integrated with the messaging platform.
The backdoor, which is named “Aclip,” is written in PowerShell scripting language. Though researchers first observed the cyberattack in March, the malicious activity tracks back to October 2019, after the backdoor was first deployed. Researchers linked the activity to ITG17 (also known as MuddyWater), an Iran-linked nation-state group, known for targeting governments primarily in the Middle East and South Asia for espionage purposes. A threat group targeted an unnamed Asain airline with a previously unknown backdoor, which abused a feature in Slack to obfuscate operational communication, according to a new report.
0 kommentar(er)
