Operation Earth Kitsune: SLUB malware is infecting thousands of users exploiting flaws in Google Chrome and Internet Explorer

Trend Micro’s cybersecurity specialists have been analyzing security incidents associated with the malware variant known as SLUB for months, en allow them to make interesting findings about how it works. Although in previous incidents threat actors targeted Implementations of Slack and GitHub, the latest attack campaign focused on the Mattermost online chat service, abusing its open source to perform malicious actions.

Mattermost developers acknowledged the incident through a statement, noting that this is a violation of their Terms of Use. Mattermost also shared a method by which users can report malicious use of this platform.

La imagen tiene un atributo ALT vacío; su nombre de archivo es SLUB2210202001.jpg

During the analysis of this campaign, called Operation Earth Kitsune, experts found five command and control (C&C) servers, seven malware samples, and four different types of errors that threat actors have used to infect websites with SLUB. According to Trend Micro, the National Korean-American Coordination Council (KANCC) has been directing users of its website to the Hanseattle platform.

“Users who accessed this site were redirected to a CVE-2019-5789 proof-of-concept (POC), a vulnerability present in Google Chrome’s chromium system,” the report states. Researchers mention that this attack not only relates to an armed version of the Chrome exploit, but also infected victims with three different malware samples.  

La imagen tiene un atributo ALT vacío; su nombre de archivo es SLUB2210202002.jpg

Threat actors also used CVE-2020-0674, an Internet Exploter failure that could have put thousands of websites at risk using a PowerShell loader that connected to the same C&C servers as the PowerShell used to exploit the previous failure. Finally, malicious hackers exploited flaws like CVE-2016-0189 and CVE-2019-1458. In addition to the sites mentioned during this campaign, compromised servers use GNUBoard Content Management System (CMS) versions 4 or 5.

SLUB attacks are not the only component of this campaign, as researchers detected two additional malware variants identified as dneSpy and agdSpy, whose goal seems to be to give hackers additional control over the compromised system. The investigation is still ongoing, so more details about the operators of this malicious campaign could be revealed shortly.