Nation-State Attackers Targeted Airline With New Backdoor

A threat group targeted an unnamed Asain airline with a previously unknown backdoor, which abused a feature in Slack to obfuscate operational communication, according to a new report. Researchers linked the activity to ITG17 (also known as MuddyWater), an Iran-linked nation-state group, known for targeting governments primarily in the Middle East and South Asia for espionage purposes.

Though researchers first observed the cyberattack in March, the malicious activity tracks back to October 2019, after the backdoor was first deployed. The backdoor, which is named “Aclip,” is written in PowerShell scripting language. In order to receive commands and send data, the backdoor used a legitimate functionality in the Slack messaging Application Program Interface (API), which allows apps and services to be developed that can be integrated with the messaging platform. Here, the attackers created a workspace and channels where they could receive system information, including requested files and screenshots, post commands to the backdoor and receive commands.

“The threat actor employed a variety of techniques to maintain access to the environment to avoid detection, including the abuse of legitimate services such as Slack through the use of the Aclip backdoor,” said Richard Emerson, senior analyst with IBM X-Force Threat Intelligence. “The threat actor leveraged compromised credentials to VPN into the environment, tunneled remote access tool traffic over non-standard ports, and had redundant access to the environment through the use of web shells on different servers, in case their other methods of access were discovered. Their job of maintaining access also got easier when they obtained domain admin privileges in the environment.”