One of the most interesting revelations from researchers at Kaspersky Security Analyst Summit (SAS) this year was a report on a highly sophisticated cyberespionage campaign called Slingshot.
The first part to understand is the means of infection. What makes this initial attack vector unique is that, according to the research, many victims were attacked through compromised routers made by MikroTik.
Routers download and run various DLL files in the normal course of business. Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs. The bad DLL was a downloader for various malicious files, which were also stored in the router. Experts reported this issue to router manufacturer, and MikroTik has already dealt with this problem. However, experts believe that MikroTik not the only brand used by Slingshot actors — there may be other compromised devices.
Another interesting aspect of Slingshot is a trick it uses to run malware in kernel mode. In updated operating systems that is almost impossible, but this malware searches computers for signed vulnerable drivers, and uses them to ran its own code.
Among the malware Slingshot used were two masterpieces: a kernel mode module called Cahnadr and GollumApp, a user mode module. Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer. Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions. Thanks to those modules, Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more. And all without exploiting any zero-day vulnerabilities. At least, experts have not found Slingshot using them yet.
What makes Slingshot really dangerous is the numerous tricks its actors use to avoid detection. It can even shut down its components when it detects signs that might indicate forensic research. Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive. You can find more details about Slingshot on Securelist.
How to cope with APTs like Slingshot
If you use a MikroTik router and WinBox managing software, download the latest version of the program and make sure the router has been updated to the latest version of its OS. However, updates save you from just one attack vector, not from the APT itself. To protect your business against sophisticated targeted attacks, you need to implement a strategic approach.