Skip to content

Hide Navigation Hide TOC

SLUB (a4757e11-0837-42c0-958a-7490cff58687)

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

Cluster A Galaxy A Cluster B Galaxy B Level
SLUB Backdoor (bb6492fa-36b5-4f4a-a787-e718e7f9997f) Tool SLUB (a4757e11-0837-42c0-958a-7490cff58687) Backdoor 1