ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool SLUB

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: SLUB

NamesSLUB
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Downloader, Exfiltration
Description(Trend Micro) We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploiting CVE-2018-8174, a VBScript engine vulnerability that was patched by Microsoft back in May 2018.
Second, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found. At the time of discovery, the backdoor was seemingly unknown to AV products.
Information<https://www.trendmicro.com/en_us/research/19/c/new-slub-backdoor-uses-github-communicates-via-slack.html>
<https://blog.trendmicro.com/trendlabs-security-intelligence/SLUB-gets-rid-of-github-intensifies-slack-use/>
<https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf>
<https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.slub>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:slub>

Last change to this tool card: 24 April 2021

Download this tool card in JSON format

Previous: SLRat
Next: SMBExec

All groups using tool SLUB

ChangedNameCountryObserved

APT groups

 Operation Earth KitsuneNorth Korea2019-Late 2022 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]