Slingshot APT: Advanced virus found - it went unnoticed for 6 years
Last week, researchers at Kaspersky Lab discovered a virus that had gone unnoticed for six years. He got the name Slingshot. Many of their “victims” were attacked by malware via compromised MikroTik routers.
According to experts, the complexity of the implementation of Slingshot surpasses the Regin trojan that has hit the networks of the Belgian operator Belgacom and other large organizations, and Project Sauron .
On the components and purpose of the virus, we describe below.
')
/ photo by Jan Hammershaug CC
The virus was detected by luck. A group of researchers analyzed the keylogger code and decided to check if it is found elsewhere. The signature of the virus manifested itself in a seemingly innocent scesrv.dll file on another computer. Further tests showed that when the computer was connected to the router's configuration system, the virus was activated, unloaded a copy of itself onto a “fresh” machine and got root access.
The malware "collects" screenshots, information about the network and USB-connections, intercepts passwords and data in the clipboard, monitors the activity on the computer. Based on this, the researchers concluded that the purpose of the Slingshot is probably espionage.
It is not precisely established how Slingshot infected its first targets, however, it is known that the creators of the virus have injected malicious code into the routers of the Latvian company MikroTik. It uses the Winbox configuration tool to load DLL files into the computer’s memory. Hackers put the ipv4.dll library on the router, which also began to be transferred to memory. After unloading, the file downloaded other components of the virus.
The Slingshot program itself is a bootloader that replaces the existing system dynamic library on the victim's computer. Slingshot embeds the necessary modules into a DLL, compressing a part of the original file to keep the size unchanged. Then it changes the entry point, “switching” the pointer to the required loader, and calculates a new checksum DLL. In this case, after downloading the malicious modules, the boot loader restores the original code of the system DLL file in memory.
Slingshot loads a lot of support components, but the two main and largest modules are Cahnadr (running in kernel mode) and GollumApp (running in user mode). They are connected and help each other with searching and collecting information.
Canhadr interacts with the network at a low level and can reproduce malicious code without disrupting the entire file system and causing a blue screen of death. It is written in pure C and is able to access the hard disk and RAM despite the limitations set in the system. He is also responsible for monitoring the integrity and concealing the activities of the virus from analysis systems.
For example, it uses special algorithms that mask network traffic. All components of the virus are located in a separate pool, which allows them to be distinguished from other, "harmless" requests. All information about the packets transmitted on the network falls into NET_BUFFER_LIST. If a command from the “malicious pool” appears in the list, Cahnadr deletes it, preventing the sending of a success message.
As for the GollumApp module, it contains approximately 1.5 thousand functions and is embedded in the services.exe file. It creates a new thread and works directly with system services: collects network data (routing tables, proxy information, AutoConfigUrl settings), steals passwords stored in Mozilla and IE, “writes” all keystrokes on the keyboard, starts new processes with system rights and manages EFS I / O requests.
/ photo Christiaan Colen CC
Presumably, the virus has been operating since 2012, but for a long time it was not known about it, because Slingshot uses a set of techniques to hide its activities - these are anti-virus software detection systems, specialized solutions for complicating analysis and encryption.
At the same time, the virus turned out to be quite rare , which also made detection difficult: researchers recorded about 100 infected computers, most of which are in Africa and the Middle East: these are Kenya, Yemen, Afghanistan, Turkey, Iraq, Sudan, Jordan, etc. Most of the victims are separate users, however, there are government organizations on the list.
In "Kaspersky Lab" note that they could not find any connection with previously known APT. However, some techniques and exploits (for example, driver vulnerabilities) used by Slingshot have been detected in such malware as Turla, Grayfish and White Lambert. Experts say that virus signatures have now been identified, and MikroTik has already released a software update to block Slingshot.
PS Materials on the topic from the First Corporate IaaS Blog:
According to experts, the complexity of the implementation of Slingshot surpasses the Regin trojan that has hit the networks of the Belgian operator Belgacom and other large organizations, and Project Sauron .
On the components and purpose of the virus, we describe below.
')
/ photo by Jan Hammershaug CC
The virus was detected by luck. A group of researchers analyzed the keylogger code and decided to check if it is found elsewhere. The signature of the virus manifested itself in a seemingly innocent scesrv.dll file on another computer. Further tests showed that when the computer was connected to the router's configuration system, the virus was activated, unloaded a copy of itself onto a “fresh” machine and got root access.
The malware "collects" screenshots, information about the network and USB-connections, intercepts passwords and data in the clipboard, monitors the activity on the computer. Based on this, the researchers concluded that the purpose of the Slingshot is probably espionage.
It is not precisely established how Slingshot infected its first targets, however, it is known that the creators of the virus have injected malicious code into the routers of the Latvian company MikroTik. It uses the Winbox configuration tool to load DLL files into the computer’s memory. Hackers put the ipv4.dll library on the router, which also began to be transferred to memory. After unloading, the file downloaded other components of the virus.
Virus components
The Slingshot program itself is a bootloader that replaces the existing system dynamic library on the victim's computer. Slingshot embeds the necessary modules into a DLL, compressing a part of the original file to keep the size unchanged. Then it changes the entry point, “switching” the pointer to the required loader, and calculates a new checksum DLL. In this case, after downloading the malicious modules, the boot loader restores the original code of the system DLL file in memory.
Slingshot loads a lot of support components, but the two main and largest modules are Cahnadr (running in kernel mode) and GollumApp (running in user mode). They are connected and help each other with searching and collecting information.
Canhadr interacts with the network at a low level and can reproduce malicious code without disrupting the entire file system and causing a blue screen of death. It is written in pure C and is able to access the hard disk and RAM despite the limitations set in the system. He is also responsible for monitoring the integrity and concealing the activities of the virus from analysis systems.
For example, it uses special algorithms that mask network traffic. All components of the virus are located in a separate pool, which allows them to be distinguished from other, "harmless" requests. All information about the packets transmitted on the network falls into NET_BUFFER_LIST. If a command from the “malicious pool” appears in the list, Cahnadr deletes it, preventing the sending of a success message.
As for the GollumApp module, it contains approximately 1.5 thousand functions and is embedded in the services.exe file. It creates a new thread and works directly with system services: collects network data (routing tables, proxy information, AutoConfigUrl settings), steals passwords stored in Mozilla and IE, “writes” all keystrokes on the keyboard, starts new processes with system rights and manages EFS I / O requests.
/ photo Christiaan Colen CC
Spread
Presumably, the virus has been operating since 2012, but for a long time it was not known about it, because Slingshot uses a set of techniques to hide its activities - these are anti-virus software detection systems, specialized solutions for complicating analysis and encryption.
At the same time, the virus turned out to be quite rare , which also made detection difficult: researchers recorded about 100 infected computers, most of which are in Africa and the Middle East: these are Kenya, Yemen, Afghanistan, Turkey, Iraq, Sudan, Jordan, etc. Most of the victims are separate users, however, there are government organizations on the list.
In "Kaspersky Lab" note that they could not find any connection with previously known APT. However, some techniques and exploits (for example, driver vulnerabilities) used by Slingshot have been detected in such malware as Turla, Grayfish and White Lambert. Experts say that virus signatures have now been identified, and MikroTik has already released a software update to block Slingshot.
PS Materials on the topic from the First Corporate IaaS Blog:
Source: https://habr.com/ru/post/350974/
All Articles