Slingshot - A State-Sponsored Malware
Cyber-spying under the state patronage is not something new, but it's very rare to see a detailed description of the mode and structure of these programs, as is the case with Slingshot, the latest malware which uses MikroTik routers for spreading.
image source
For years and years, we have witnessed several more or less successful attempts to create malware. We became aware that this industry has grown into a serious business that involves not only diverse wannabe creators, but also a whole group of experienced software vendors, as well as state and private spy agencies and other agencies. Thus, with time, often after years of hiding, we heard for Project Sauron, Regin, Equation, Duqu and Careto.
If we look at the common features of this malicious software, we would find using zero-day vulnerability, unknown and often undetected vectors of attack, ability to conceal over several years, the use of unseen concealing techniques so far, as well as undeclared functionalities of the operating systems.
image source
This malicious software is generally targeted to state bodies in various countries, scientific institutions, telecommunications companies and the financial sector, where geographic groupings are interesting, since the attacks were concentrated in the east but also in the west, and the last group of attacks seems that is limited to Africa and the part of Middle East.
So, the latest threat is called Slingshot. This spyware malware has been discovered by researchers from the well-known security company Kaspersky. Security experts agree that Slingshot is a very complex spyware program, discovered on about a hundred computers, mostly in the Middle East and Africa.
Slingshot is compared to Project Sauron and Reign. It's been active since 2012 and can use MikroTik routers as an attack vector. However, according to the research, MikroTik routers are just one of the input vectors, while in the most cases the infection remains undetected.
Slingshot is named by the code within the malicious loader, which initially replaces the legitimate Windows Script "scesrv.dll" with the malicious code exactly the same size. To achieve this, some of the original library is compressed and inserted as a code entry. Slingshot uses a variety of advanced techniques to prevent detection and deliberately, but unintentionally, removing (for example, by the upgrade).
image source
The malicious platform contains several modules, Cahnadr (or Ndriver), a kernel module that has built-in anti-analytics/debugging functionality, as well as anti-rootkit detection. This module inserts and later supports the GollumApp, "User" module. Cahnadr monitors network components disguise their own traffic and monitor the system to be attacked, etc. GollumApp, on the other hand, collects passwords, clipboard content, monitor camera, disk usage, USB device, keyboard operation, desktop activity. Additionally, it may initiate a new process or inject a malicious module into an active process. One of the advanced features includes reading encrypted Mozilla traffic.
image source
To avoid the Driver Signature Enforcement Slingshot uses "signed" vulnerable drivers and execute its own code in kernel mode over their vulnerabilities. Hiding activities is a special story, Slingshot uses an encrypted virtual file system that uses unused disk space, uses encryption, directly calls system services to avoid standard hooks that use antivirus and other protection programs, and can exclude some of its own components if it sees the use of a tool to debugging or forensics.
Kaspersky has released a 25-page analysis if anyone is interested in the details of this complex malicious spy platform. It's is crystal clear that the Slingshot is a coordinated effort of an extremely well-informed and technologically competent team of experts, with detailed knowledge of operating systems and procedures in security and hardware companies.
image source
Whether the manufacturer of this tool is NSA, CIA or some other highly secret agency is less important, it is important that these threats exist for years and that they will remain, predictable in a more complex and more dangerous form.
To the question that is immediately imposed - how to protect ourselves from such advanced risks, we can hardly offer a satisfactory answer. The security industry is years behind such complex malicious platforms. For Zero Day Vulnerabilities "interested" parties offer financial compensation. The more complex the vulnerability, the higher the price. And yes, everything is completely legal, at least in most legal systems, and intelligence agencies and various "dedicated" security firms are far above the law and legal systems. In addition, day-to-day vulnerabilities are everywhere around us not only in commercial and open operating systems and applications but also in private and even in unique software.
sources:
Sophisticated state-sponsored mallware
The Slingshot APT FAQ
Newly discovered Slingshot malware was hidden in routers for 6 years
Slingshot Router Malware Won't Hurt You — But Protect Yourself Anyway
More security news:
In Egypt And Turkey Users Got State Spyware
New Security Threat: ADB.Miner
Stolen Credit Card Numbers In OnePlus
Backdoor Found In Lenovo Network Switches
Skype And Signal
Intel Screwed Again
Attack By Screaming
Loapi Malware
Serious Security Hole In MacOS
Critical vulnerabilities in Intel processors
Imgur Hacked
Did you know that you have more than one operating system on your computer?
Android Oreo Bug
@seckorama
Take a look at my DTube Channel
Check out my DSound Channel
Great post. Thx for sharing. @banjo
Thank you for your comment :)
I don't care what anyone says about Kapersky, I've always held them in high regard.
Thanks for excellent article.
Namaste,
JaiChai
Thank you for the comment. Agree, they have their own way of research.