Kaspersky Lab experts discovered a malware that has gone unnoticed over the past 6 years


Source: kaspersky.com
Malicious software improves very quickly. It is created for a variety of purposes - from theft of funds to sabotage. Recently, Kaspersky Lab published a detailed report that shows the results of a study of an unusual malware called Slingshot. It was so named because the detected parts of the code contained text with this “name”.

Slingshot is a close relative of Regin, an advanced backdoor who harmed Belgian companies Belgian , as well as Project Sauron - a powerful malware that has remained invisible to information security specialists for many years. Slingshot in this is not different from its predecessors, he knows how to hide just fine. The masking skills are so good that the virus went undetected for six years.

Slingshot's discovery allowed us to explore the complex ecosystem of malware consisting of several elements that work in interaction with each other. As a result, a flexible and powerful system is formed that can bypass barriers and barriers in the form of antivirus software.

“Malware was created by first-class specialists, it performs its task in many ways, sometimes very original. This software combines new and old elements of virus software. When assembled together, these elements are highly effective malware, ”the report says.

Researchers still do not know exactly what exactly Slingshot began its distribution with, but it is known that some of these “victims” are routers manufactured by the Latvian company MikroTik. Somehow, Slingshot operators gained access to the routers and placed malicious code in them. Perhaps the attackers used the Winbox configuration utility , which was used to load the DLL. One of them, ipv4.dll, is a malware loader created by malware developers. Winbox was used to transfer ipv4.dll to the target computer, resulting in infection.

The bootloader downloads other system components and launches them. In order for the launch of individual components to be successful, the attackers used various tricks, including signed vulnerable drivers, with the subsequent exploitation of vulnerabilities. The process can be compared with the introduction of the Trojan horse. Other downloadable modules include Cahnadr and GollumApp. They are interconnected, and able to work, taking into account the actions of each other.

The most complex module in this bundle can be called GollumApp. It includes about 1,500 functions and allows you to perform many tasks with the file system, remote access to the system, etc.

Canhadr, which is also known as Ndriver, can execute low-level commands, including network commands, I / O operations, etc. The module can execute malicious code without disabling the entire system with the advent of BSoD. Modules are written in pure "C", which allows the malware to gain full access to the hard drive and memory of the compromised system.

According to representatives of Kaspersky Lab, this software may still have unexplored opportunities and work with zero-day vulnerabilities that are not known to the general public - of course, we are talking about cybersecurity experts. At least the fact that it has been active since 2012 and still works on many systems speaks about the effectiveness of technologies to hide signs of virus activity (though it’s quite difficult to identify all these systems).



One of the methods of "hide and seek" is the use by a malware of encryption of a disk, its unused part. It separates its own files from the PC system files, and thus also reduces the likelihood of detecting its work. In addition, almost all text strings in any of its modules are encrypted in the virus. Thus, it is difficult for an antivirus to identify malware.

What is the purpose of the creators of this virus? Experts believe that the main thing is espionage. Slingshot keeps logs of various processes of the desktop PC, and also copies its contents from the buffer at different points in time. In addition, the malware takes screenshots from time to time, works as a logger, monitors network activity, collects passwords and data about connected USB equipment. As far as one can judge, Slingshot has access to almost any data on the hard drives of the infected computer. Infected systems are found mainly in Kenya and Yemen, but they are in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. In some cases, user PCs are compromised, and in others, computers of government organizations and institutions.