Iranian group APT ITG17 AKA MuddyWater using PowerShell back door to hack Slack and abuse C2C privileges

IBM Security X-Force reports that Iranian government actor MuddyWater used a PowerShell back door known as Aclip to use Slack as a means of attacking airlines. It turned out that these cybercriminals were using the free workspaces in Slack to hide malicious traffic and then commit C2C crimes against airline employees.

This activity was first discovered by MuddyWater Hacking Group in October 2019, when a malicious backdoor called Aclip was first developed. Aclip then executes the command and control over the Slack API to receive data and commands.

Diagram of Aclip Backdoor execution 

Aclip first runs through the aclip.bat file and then collect hostname username and external IP from victims in base64 format. Then by running C2C the screenshots are taken in PowerShell and saved in the% TEMP% folder. The C2 server used was 46.166.176 [.] 210.

After the IBM X-force found the breach, Slack removed the free workspaces used by the backdoor but it is clear that MuddyWater will continue its efforts to use C2C for malicious gains. They must be stopped !! 😡😡