Kaspersky uncovers malware attacking through routers

Share
Kaspersky uncovers malware attacking through routers

Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory - an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools.

Researchers at Kaspersky Lab have discovered a sophisticated advanced persistent threat (APT) that has been used for cyber espionage in the Middle East and Africa from at least 2012 until February this year.

Kaspersky Lab found sophisticated cyber-espionage malware, which is the more than most advanced malware hiding since almost six years in routers.

Slingshot was revealed by researchers at Kaspersky Lab as a Trojan horse, in that the malicious code piggybacked off compromised MikroTik routers. So yeah, it's pretty damn smart.

Cyber espionage appears to be the main aim of Slingshot, with analysis suggesting it harvests screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more. Despite only 100 systems found infected, Slingshot is sophisticated and no short of a "masterpiece" according to its discoverers.

It could also load powerful malware modules such has the Cahnadr and GollumApp, two modules able to support each other in an operating system's kernel, and user modes that enable information gathering and data exfiltration. However, we would tenuously speculate that the malware may have come from Western state-actors and was used to snoop on nations known to be hotspots of conflict, insurgency, or illicit activity.

The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in flawless English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit.

"Accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error", Kaspersky's researchers said, so that's worth bearing in mind.

Slingshot appeared to spread through routers designed by Latvian company MikroTik, although Kaspersky has noted that other techniques, such as the exploitation of zero-day vulnerabilities, could have helped spread the threat. Slingshot then launches an attack on two fronts with Canhadr running low-level kernel code that lets it operate across a system and the GollumApp which focuses on the user-level, managing the file system to ensure the malware survives. Kaspersky says it has given MikroTik all its information and that MikroTik's software no longer downloads anything from the users' routers to their computers.

One incredibly sophisticated thing the malware did to hide its existence was to use an encrypted virtual file system located in an unused part of the hard drive. These include encrypting all strings in its modules, calling system services directly in order to bypass security product hooks, using a number of anti-debugging techniques and selecting which process to inject depending on the installed and running security solution processes.

"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation", said Kaspersky. "Its infection vector is remarkable - and, to the best of our knowledge, unique", the researchers write in the report, released Friday. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.

Share

Advertisement

Related Posts

Udupi: Fall in atmospheric pressure - DC advises against venturing into sea
Currently, this area is moving from southern Sri Lanka towards north-west direction. Alerts have been issued to the local administration of coastal districts.

Mega Millions, Powerball jackpots for Tuesday and Wednesday total $738 million
Cash payout options would be an estimated $248.7 million and $187.6 million for the Powerball and Mega Millions respectively. A winning Powerball ticket was sold in New Orleans for Saturday's drawing, according to the Louisiana Lottery Corp.

Micron Technology INC (MU) Holding Has Boosted by Springbok Capital Management Llc
After $2.41 actual EPS reported by Micron Technology, Inc . for the previous quarter, Wall Street now forecasts 11.62% EPS growth. The rating was maintained by RBC Capital Markets with "Buy" on Sunday, July 30. (NASDAQ:MU) shares were sold by Thorsen Steven L.

Dynamic Capital Management Ltd Buys Shares of 4292 Comerica Incorporated (CMA)
Also, insider Peter William Guilfoile sold 1,052 shares of the firm's stock in a transaction on Friday, February 2nd. Omega Advisors accumulated 1.30 million shares or 1.61% of the stock. 2,623 are owned by Zeke Capital Ltd Liability.

Suspicious substance at United Kingdom parliament was not hazardous - spokesman
According to reports, the substance deemed to be suspicious was found inside a package received by an MP's office in the building. "We are aware of a potential situation involving a suspicious substance which the Met Police are investigating".

Mattis warns Syria on chemical weapons
Ambassador to the United Nations Nikki Haley warned on Monday that Washington "remains prepared to act if we must", if the U.N. A convoy of relief trucks crossed front lines into eastern Ghouta on Friday and unloaded all its food despite the fighting.

Green Bay Packers rumors: Jimmy Graham on radar
Green Bay already has receivers like Davante Adams, Jordy Nelson, and Randall Cobb for Rodgers to work with. Graham caught 26 touchdowns during his final two seasons in New Orleans with Drew Brees at quarterback.

Matic: Liverpool win boosts United spirit
Sevilla is die or live. "They are much more important than the Liverpool one". Anthony Martial and Zlatan Ibrahimovic did take part.

Ctrip.Com International (CTRP) Scheduled to Post Quarterly Earnings on Wednesday
Evercore has "Buy" rating and $19.50 target. $7,365 worth of stock was bought by MCGRATH PAUL A on Tuesday, February 27. Headlines about Ctrip.Com International (NASDAQ: CTRP ) have trended somewhat positive recently, according to Accern.

Video appears to show Iowa Senate leader kissing lobbyist at bar
Someone who was afraid of the consequences of their behavior would not be doing something like that in public. The 18-year legislative veteran is married with three children, according to his statehouse biography.

© 2015 ExpressNewsline. All Rights reserved.