SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
15 Mar 2018

Slingshot APT: Riding on a hardware Trojan horse

One of the most interesting revelations from researchers at Kaspersky Security Analyst Summit (SAS) this year was a report on a highly sophisticated cyberespionage campaign called Slingshot. 

The first part to understand is the means of infection. What makes this initial attack vector unique is that, according to the research, many victims were attacked through compromised routers made by MikroTik.

Routers download and run various DLL files in the normal course of business. Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs. The bad DLL was a downloader for various malicious files, which were also stored in the router. Experts reported this issue to router manufacturer, and MikroTik has already dealt with this problem. However, experts believe that MikroTik not the only brand used by Slingshot actors — there may be other compromised devices.

Another interesting aspect of Slingshot is a trick it uses to run malware in kernel mode. In updated operating systems that is almost impossible, but this malware searches computers for signed vulnerable drivers, and uses them to ran its own code.

Malicious instruments

Among the malware Slingshot used were two masterpieces: a kernel mode module called Cahnadr and GollumApp, a user mode module. Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer. Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions. Thanks to those modules, Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more. And all without exploiting any zero-day vulnerabilities. At least, experts have not found Slingshot using them yet.

Antidetection mechanism

What makes Slingshot really dangerous is the numerous tricks its actors use to avoid detection. It can even shut down its components when it detects signs that might indicate forensic research. Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive. You can find more details about Slingshot on Securelist.

How to cope with APTs like Slingshot

If you use a MikroTik router and WinBox managing software, download the latest version of the program and make sure the router has been updated to the latest version of its OS. However, updates save you from just one attack vector, not from the APT itself. To protect your business against sophisticated targeted attacks, you need to implement a strategic approach.

Tags:
hackers fraud information leaks
Source:
Kaspersky Daily
1692
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015