A suspected Iranian state-supported threat actor is deploying a newly discovered backdoor named ‘Aclip’ that abuses the Slack API for covert communications.
The threat actor’s activity started in 2019 and targeted an unnamed Asian airline to steal flight reservation data.
According to a report by IBM Security X-Force, the threat actor is likely ITG17, aka ‘MuddyWater,’ a very active hacking group that maintains a targets organizations worldwide.
Abusing Slack
Slack is an ideal platform for concealing malicious communications as the data can blend well with regular business traffic due to its widespread deployment in the enterprise.
This type of abuse is a tactic that other actors have followed in the past, so it’s not a new trick. Also, Slack isn’t the only legitimate messaging platform to be abused for relaying data and commands covertly.
In this case, the Slack API is utilized by the Aclip backdoor to send system information, files, and screenshots to the C2, while receiving commands in return.
IBM researchers spotted the threat actors abusing this communication channel in March 2021 and responsibly disclosed it to Slack.