Kaspersky uncovers malware attacking through routers

Kaspersky uncovers malware attacking through routers

Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory - an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools.

Researchers at Kaspersky Lab have discovered a sophisticated advanced persistent threat (APT) that has been used for cyber espionage in the Middle East and Africa from at least 2012 until February this year.

Kaspersky Lab found sophisticated cyber-espionage malware, which is the more than most advanced malware hiding since almost six years in routers.

Slingshot was revealed by researchers at Kaspersky Lab as a Trojan horse, in that the malicious code piggybacked off compromised MikroTik routers. So yeah, it's pretty damn smart.

Cyber espionage appears to be the main aim of Slingshot, with analysis suggesting it harvests screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more. Despite only 100 systems found infected, Slingshot is sophisticated and no short of a "masterpiece" according to its discoverers.

It could also load powerful malware modules such has the Cahnadr and GollumApp, two modules able to support each other in an operating system's kernel, and user modes that enable information gathering and data exfiltration. However, we would tenuously speculate that the malware may have come from Western state-actors and was used to snoop on nations known to be hotspots of conflict, insurgency, or illicit activity.

The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in flawless English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit.

"Accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error", Kaspersky's researchers said, so that's worth bearing in mind.

Slingshot appeared to spread through routers designed by Latvian company MikroTik, although Kaspersky has noted that other techniques, such as the exploitation of zero-day vulnerabilities, could have helped spread the threat. Slingshot then launches an attack on two fronts with Canhadr running low-level kernel code that lets it operate across a system and the GollumApp which focuses on the user-level, managing the file system to ensure the malware survives. Kaspersky says it has given MikroTik all its information and that MikroTik's software no longer downloads anything from the users' routers to their computers.

One incredibly sophisticated thing the malware did to hide its existence was to use an encrypted virtual file system located in an unused part of the hard drive. These include encrypting all strings in its modules, calling system services directly in order to bypass security product hooks, using a number of anti-debugging techniques and selecting which process to inject depending on the installed and running security solution processes.

"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation", said Kaspersky. "Its infection vector is remarkable - and, to the best of our knowledge, unique", the researchers write in the report, released Friday. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.



Related Posts

Poster and trailer for Sorry to Bother You starring Lakeith Stanfield
Sorry to Bother You doesn't have a United Kingdom release date confirmed yet, but it's hitting the States this summer on July 6. Patton Oswalt , David Cross , and Tom Woodruff Jr are also part of the large ensemble cast.

Video appears to show Iowa Senate leader kissing lobbyist at bar
Someone who was afraid of the consequences of their behavior would not be doing something like that in public. The 18-year legislative veteran is married with three children, according to his statehouse biography.

Ctrip.Com International (CTRP) Scheduled to Post Quarterly Earnings on Wednesday
Evercore has "Buy" rating and $19.50 target. $7,365 worth of stock was bought by MCGRATH PAUL A on Tuesday, February 27. Headlines about Ctrip.Com International (NASDAQ: CTRP ) have trended somewhat positive recently, according to Accern.

Mourinho happy with referee's decision to not send off Klopp
And United stars were snapped training today in a final session at Carrington ahead of the big game. Forward Anthony Martial could return at Old Trafford after missing two matches.

Teo y Junior despiertan a tiempo ante Cali
Poco pudo hacer Nicolás Benedetti , el más claro del Cali pero que no pudo ante el poderío del Junior . Generamos opciones de gol parejas en el primer tiempo.

Mega Millions, Powerball jackpots for Tuesday and Wednesday total $738 million
Cash payout options would be an estimated $248.7 million and $187.6 million for the Powerball and Mega Millions respectively. A winning Powerball ticket was sold in New Orleans for Saturday's drawing, according to the Louisiana Lottery Corp.

Seminoles return to NCAA tournament, will open against Missouri
During Sunday's selection show on CBS, Florida State (20-11) learned it received a No. 9 seed in the West Region. Missouri game will face the victor of the Xavier vs.

Tite Announces Squad for Russian Federation and Germany Friendlies
Tite's side will first play against Russian Federation on 23 March before facing Germany four days later. Neymar has undergone successful surgery on his broken foot and is now recovering in Brazil.

Matic: Liverpool win boosts United spirit
Sevilla is die or live. "They are much more important than the Liverpool one". Anthony Martial and Zlatan Ibrahimovic did take part.

Xiaomi Mi Mix 2s to Launch on March 27 in Shanghai
The giant company released the iPhone X with the well-known notch to hold the camera, the Face ID and different other sensors. The upper and side bezels of the smartphone come out to be appreciably thinner than the bottom bezel.

© 2015 ExpressNewsline. All Rights reserved.