IBM Security X-Force experts believe that Iranian “government” hackers are deploying the recently discovered Aclip backdoor to victims’ networks, which abuses the Slack API to covertly communicate with criminals.
According to the report, the attackers are the ITG17 hacker group, also known as MuddyWater, attacking organizations and companies around the world. The cybercriminals discovered by IBM Security X-Force began in 2019 and targeted an unnamed Asian airline to steal flight booking data.
According to experts, Slack is almost an ideal platform for hiding malicious communications, since data is mixed with normal business traffic, and Slack is widely used in a variety of fields. In this case, the Slack API was used by the Aclip backdoor to transfer system information, files and screenshots to attackers, receiving commands from their operators in response.
IBM researchers noticed attackers abusing this communication channel in March 2021 and reported this to the Slack developers. Those, in turn, quickly reacted to the report of the researchers and assured:
“We investigated and immediately closed Slack Workspaces that were used in violation of the terms of service. We acknowledge that Slack was not compromised in any way as part of this incident, and that no Slack customer data was disclosed or at risk. We strive to prevent misuse of our platform and take action against anyone who violates the terms of service. “
The detected Aclip backdoor is executed using the aclip.bat file, and this is where its name comes from. The backdoor provides cybercriminals with a constant presence on the infected device, as it is added to the registry and launched automatically at every system startup.
Aclip receives PowerShell commands from the C&C server via the Slack API and can be used to execute further commands, send screenshots of the active Windows desktop, and steal files. So, on the very first launch, the backdoor collects basic system information, including the hostname, username and external IP address, encrypts this data using Base64 and transfers it to its operators.