Attackers Are Impersonating a Linux Foundation Leader in Slack to Target Open Source Developers
A high-severity social engineering campaign is actively targeting open source developers on Slack by impersonating Linux Foundation leaders. The multi-stage attack uses a fake AI tool lure to harvest credentials and trick victims into installing a malicious root certificate, leading to traffic interception and malware execution on macOS and Windows systems.
Authors: Socket
Source:
Socket
- emailcra@nmail.bizFake email address provided in the phishing lure.
- urlhxxps://sites[.]google[.]com/view/workspace-business/joinPhishing URL used in the Slack lure to initiate the fake authentication flow.
Key Takeaways
- Attackers are impersonating Linux Foundation leaders on Slack to target open source developers.
- The attack uses a fake AI tool pitch to lure victims to a malicious Google Sites page.
- Victims are tricked into installing a malicious root certificate to intercept encrypted traffic.
- On macOS, the attack downloads and executes a malicious binary named 'gapi' from a remote IP.
- The campaign exploits developer trust and utilizes legitimate infrastructure to bypass casual inspection.
Affected Systems
- macOS
- Windows
- Slack
Attack Chain
The attacker impersonates a trusted community leader on Slack and sends a direct message pitching a fake AI tool. The message contains a link to a malicious Google Sites page where the victim undergoes a fake authentication flow to harvest their email and verification code. The victim is then prompted to install a malicious root certificate, which enables interception of encrypted traffic. On macOS, a script subsequently downloads and executes a malicious binary named 'gapi' from a remote IP, potentially leading to full system compromise.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but shares actionable IOCs such as IPs, URLs, and file names for custom rule creation.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions should easily detect the installation of unauthorized root certificates and the execution of the unknown 'gapi' binary on macOS. Network Visibility: Medium — The initial phishing link uses legitimate Google Sites infrastructure, making network detection difficult, but the subsequent download from the bare IP 2.26.97.61 is highly visible. Detection Difficulty: Moderate — The social engineering aspect and use of legitimate infrastructure (Google Sites) make initial detection hard, but the installation of a root certificate and execution of a binary from a bare IP provide solid detection opportunities.
Required Log Sources
- Endpoint process creation logs
- Certificate store modification logs
- Network connection logs
- Web proxy logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected modifications to the system root certificate store, particularly certificates claiming to be from Google. | Endpoint certificate store logs | Defense Evasion | Low |
| Search for network connections to the IP address 2.26.97.61, especially those initiated by scripts or unknown binaries. | Network connection logs | Execution | Low |
| Identify the execution of a binary named 'gapi' on macOS systems, particularly if downloaded from an external source. | Endpoint process creation logs | Execution | Low |
Control Gaps
- Lack of out-of-band verification for Slack communications
- Inability to block malicious content hosted on legitimate services like Google Sites
Key Behavioral Indicators
- Installation of unauthorized root certificates
- Execution of the 'gapi' binary
- Network traffic to 2.26.97.61
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block access to the IP address 2.26.97.61.
- Search endpoint logs for the execution of the 'gapi' binary or installation of suspicious root certificates.
- If affected, disconnect from the network, remove newly installed certificates, rotate all credentials, and revoke active sessions.
Infrastructure Hardening
- Enforce Multi-Factor Authentication (MFA) on all developer and collaboration accounts.
- Implement strict controls and monitoring around modifications to the system root certificate store.
User Protection
- Deploy endpoint security solutions capable of detecting unauthorized certificate installations and suspicious binary executions.
Security Awareness
- Train developers to verify identities out-of-band when receiving unusual requests on Slack or other collaboration platforms.
- Educate users to never install root certificates from links or unexpected prompts.
- Warn users against executing downloaded binaries or scripts from unverified sources.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1584.001 - Compromise Infrastructure: Domains
- T1553.004 - Subvert Trust Controls: Install Root Certificate
- T1557 - Adversary-in-the-Middle
- T1059.004 - Command and Scripting Interpreter: Unix Shell
Additional IOCs
- Ips:
2[.]26[.]97[.]61- Remote IP address hosting the malicious macOS binary.
- Domains:
sites[.]google[.]com- Legitimate domain abused to host the phishing page.
- Urls:
hxxps://sites[.]google[.]com/view/workspace-business/join- Phishing URL used in the Slack lure.
- Other:
cra@nmail.biz- Fake email address provided in the phishing lure.CDRX-NM71E8T- Access key used in the fake authentication flow.