Kaspersky Lab specialists uncovered a malware that had gone unnoticed for the last 6 years

Source: kaspersky.com

Malicious software is improving very quickly. It is created for a variety of purposes - from stealing money to sabotage. The other day, Kaspersky Lab published a detailed report in which the results of studying an unusual malware, called Slingshot, are listed. It was named this way because the detected sections of the code contained the text with this “name”.

Slingshot is a close relative of Regin, an advanced backdoor that has harmed the customers of the Belgian company Belgacom, and Project Sauron , a powerful malware that has remained unnoticed by information security specialists for many years. Slingshot is no different in this from its predecessors, he knows how to hide just fine. The disguise skills are so good that the virus went unnoticed for six years.

The detection of Slingshot made it possible to study a complex ecosystem of malicious software consisting of several elements that work interacting with each other. As a result, a flexible and powerful system is formed, which is able to bypass barriers and barriers in the form of anti-virus software.
')
“Malware is created by first-class experts, it performs its task in different ways, sometimes quite original. This software combines new and old elements of virus software. When assembled together, these elements are highly effective malware, ”the Lab report says.

Researchers still do not know exactly what exactly Slingshot began its distribution with, but it is known that some of these “victims” are production routers produced by the Latvian company MikroTik. Somehow, Slingshot operators accessed the routers and placed the malicious code in them. The attackers may have used the Winbox configuration utility, which was used to load the DLL. One of them, ipv4.dll, is a malware downloader created by malware developers. Winbox was used to transfer ipv4.dll to the target computer, as a result of which an infection occurred.

The loader downloads other components of the system, and launches them. In order to launch the individual components successfully, the attackers used various tricks, including signed vulnerable drivers, with the subsequent exploitation of the vulnerabilities. The process can be compared with the introduction of the Trojan horse. Other loadable modules include Cahnadr and GollumApp. They are interrelated, and able to work, taking into account the actions of each other.

The most complex module in this bundle can be called GollumApp. It includes about 1500 functions and allows you to perform many tasks with the file system, remote access to the system, etc.

Canhadr, which is also known as the Ndriver, can execute low-level commands, including network commands, I / O operations, and the like. The module can execute malicious code without disabling the entire system with the advent of BSoD. The modules are written in pure “C”, which allows the malware to get full access to the hard disk and the memory of the compromised system.

According to representatives of Kaspersky Lab, this software can still have unexplored features and work with zero-day vulnerabilities, which are unknown to the general public - of course, here we mean cybersecurity experts. The effectiveness of technologies to hide signs of virus activity is at least indicated by the fact that it has been active since 2012 and still works on many systems (although all these systems are difficult to identify).



One of the ways of "playing hide and seek" is to use disk encryption, unused part of it, by the malware. It separates its own files from the PC system files, and thus also reduces the likelihood of finding its work. In addition, the virus encrypts almost all text strings in any of its modules. Thus, it is difficult for antivirus to identify malware.

What is the purpose of the creators of this virus? Experts believe that the main thing is espionage. Slingshot keeps logs of various desktop PC processes, and also copies its contents from the buffer at different times. In addition, the malware takes screenshots from time to time, works as a logger, monitors network activity, collects passwords and data about connected USB equipment. As far as can be judged, Slingshot has access to almost any data on the infected computer’s hard drives. Infected systems are found mainly in Kenya and Yemen, but they are found in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. In some cases, user PCs have been compromised, and in others, computers of government organizations and institutions.