Slack as a C2 (Command and Control) Channel
By Arie Fred, VP of Product, SecBI
As Slack, the popular messaging platform, went public, its stock prices soared, signaling investors’ confidence in this workplace tool which hopes to replace email as an internal collaboration tool. Slack’s phenomenal adoption is a testimony to its fantastic product-market fit.
However, this tremendous popularity has not gone unnoticed by cybercriminals who took an approach that is not entirely new. It’s even been documented as the MITRE ATT&CK™ a Web Services (T1102) technique, that states, “Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system. These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers”.
Several security researchers have experimented with Slack as a C2 channel, creating “Slackor”, Slack C2bot and Slackshell, a PowerShell module that includes various functions that utilize the Slack API to create a command and control channel. Additionally, there are a few reports of a sophisticated malware named “SLUB” that uses the Slack messaging system as communication channels with its masters.
Once this capability was made public, its popularity with many malware creators has taken off as it offers the benefit of utilizing an existing platform. Attackers don’t need to break into Slack, they just use their features to control malware they’ve implanted on corporate networks. More importantly, this legitimate use of Slack as a communication channel will allow hackers to avoid detection by traditional security mechanisms such as EDR and packet-capture NTA. The Slack API URL structure will also prove to be a detection challenge for security mechanisms. All Slack API URLs come in the same form of https://slack.com/api/[METHOD], meaning that unencrypted DNS queries only show resolutions of slack.com, making it difficult to differentiate Slack API usage from normal web browsing.
Malware creators will likely use Slack as the primary or secondary C2 channels and use another platform such as Github for backup. Since these applications are legitimate, and are frequently used to move files around, there’s little risk that anti-virus or endpoint solutions will detect the infiltration of malicious code or the exfiltration of sensitive data. While the notion of using common apps isn’t new (earlier attempts have been made by using Twitter as a C2 channel, specifically the Twitter bot builder), Slack’s universal adoption takes this method of operation to a whole new level.
This newly found communication channel is another step in the battle between hackers and defenders. It highlights the need for security tools that leverage machine-based cluster analysis to provide a broader range of information on behavior to reveal the entire scope of an attack.