MALWARE HAS BEEN LURKING in routers undiscovered for six years yet stealthily managed to infect at least 100 computers across the globe.
That is until now, as researchers from Kaspersky Lab dug up the malware, which they dubbed Slingshot, while analysing a suspected keylogger.
The researchers identified a malicious library that was able to interact with a virtual file system which they noted was a good sign of the presence of an advanced persistent threat, whereby an unauthorised person or programme gains access to a network and lurks there undetected for some time with the intention of swiping data rather than causing damage.
Kaspersky’s researchers claim Slingshot malware was part of a highly sophisticated attack platform that rivals the Reign and Project Sauron malware, suspected of being developed by nation-state sponsored actors. As such, Slingshot looks like it may have been produced with the backing of a nation.
Unsurprisingly, Slingshot looks like it was used for espionage purposes, though no specifics have surfaced yet.
“The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform,” the researchers reported.
“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor.”
Slingshot worms its way onto a machine by replacing the legitimate Windows dynamic link library with a malicious version. Once done, it connects to a hardcoded IP and port, found to be a router’s IP address, and then uses the connection to download other malicious components to carry out its espionage, hence why it forms a malware platform.
It can bypass security measures, such as Driver Signature Enforcement, by loading signed vulnerable drivers and running its own code through those security holes. So yeah, it’s pretty damn smart.
It could also load powerful malware modules such has the Cahnadr and GollumApp, which are two modules able to support each other in an operating system’s kernel and user modes and allow for information gathering and data exfiltration.
The data thought to be gobbled up includes everything from desktop activity logging to network data and passwords. Slingshot is also capable of accessing the data on an infected PC’s hard drive or internal memory due to its ability to access an operating system’s kernel level.
Infected machines cropped up in the likes of Libya, Afghanistan, Jordan, the Congo, Sudan and Somalia, and appeared to target individuals on the whole.
Kaspersky didn’t speculate as to why machines in these nations were targeted. However, we would tenuously speculate that the malware may have come from Western state-actors and was used to snoop on nations known to be hotspots of conflict, insurgency, or illicit activity.
This guesswork is given a little more credence given that Kaspersky’s researchers noted that debug messages were written in perfect English. Coincidence? We’re not so sure.
“Accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error,” Kaspersky’s researchers said, so that’s worth bearing in mind.
Slingshot appeared to spread via routers produced by Latvian company MikroTik, although Kaspersky has noted that other techniques – such as the exploitation of zero-day vulnerabilities – could have helped spread the threat.
Kaspersky doesn’t have any specifics of how Slingshot appeared on MikroTik routers, but it looks like the router’s Winbox configuration utility was exploited to load dynamic link library files. The malware then makes the jump from routers to connected PCs by transferring a malicious downloader file, which is then loaded into a computer’s memory and executed, setting the infection into motion.
Slingshot appears to have been active as far back as 2012 thanks to its suite of encryption and security-bypassing techniques. For example, it was able to hide from detection by using an encrypted virtual file system that as cloaked in an unused part of a hard drive. Slingshot also kept malware files separate from an infected machine’s file system, which helped keep it away from the noses of anti-virus software.
“Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable – and, to the best of our knowledge, unique,” the researchers noted and explained that as of February 2018 Slingshot still appears to be active.
Users of MicroTik routers are advised to update to the latest software in order to write-off the possibility of older exploited being used to infect them.
Further details of Slingshot and its origins have yet to surface. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.
But it does show that cyber attacks are being increasingly used for what appears to be nation-state supported espionage. Perhaps the next James Bond will be a cybersecurity guy rather than a Navy commander. µ
Source : Inquirer