Slingshot APT: an advanced virus found - it went unnoticed for 6 years

Last week, researchers at Kaspersky Lab discovered a virus that went undetected for six years. It is called Slingshot. The malware attacked many of its “victims” through compromised MikroTik routers.

As noted experts on implementation complexity Slingshot exceeds Trojan Regin's , hit the Belgian network operator Belgacom and other large organizations, and by Project Sauron .

We will discuss the components and purpose of the virus below.

/ photo Jan Hammershaug CC

The virus was discovered by a fluke. A group of researchers analyzed the keylogger code and decided to check if it was found elsewhere. The virus signature appeared in the seemingly innocent scesrv.dll file on another computer. Further tests showed: when the computer connected to the router configuration system, the virus activated, unloaded a copy of itself on a “fresh” machine and received root access.

The malware “collects” screenshots, information about the network and USB connections, intercepts passwords and data in the clipboard, and tracks activity on the computer. Based on this, the researchers concluded that the target of Slingshot is probably espionage.

Not exactly established how Slingshot infected its first goals, however, it is known that the creators of the virus introduced malicious code into the routers of the Latvian company MikroTik. It uses the Winbox configuration tool to load DLL files into the computer's memory. Hackers put the ipv4.dll library on the router, which also began to be transferred to memory. After unloading, the file downloaded other components of the virus.

Virus components

The Slingshot program itself is a bootloader that replaces the existing system dynamic library on the victim’s computer. Slingshot embeds the modules it needs in the DLL, compressing part of the original file to keep the size unchanged. Then it changes the entry point, "switching" the pointer to the desired bootloader, and calculates the new checksum of the DLL. In this case, after downloading malicious modules, the bootloader restores the original system DLL file code in memory.

Slingshot loads many auxiliary components, but the two main and largest modules are Cahnadr (works in kernel mode) and GollumApp (works in user mode). They are connected and help each other with the search and collection of information.

Canhadr interacts with the network at a low level and can reproduce malicious code without disrupting the operation of the entire file system and without causing a “blue screen of death”. It is written in pure C and is able to access the hard drive and RAM despite the limitations set in the system. He is also responsible for monitoring the integrity and hiding the activity of the virus from analysis systems.

For example, he uses special algorithms that mask network traffic. All virus components are located in a separate pool, which makes it possible to distinguish them from other, "harmless" requests. All information about packets transmitted over the network falls into NET_BUFFER_LIST. If a command from the “malicious pool” appears in the list, then Cahnadr deletes it, preventing a successful completion message from being sent.

As for the GollumApp module, it contains approximately 1.5 thousand functions and is embedded in the services.exe file. It creates a new thread and works directly with system services: it collects network data (routing tables, proxy information, AutoConfigUrl settings), steals passwords stored in Mozilla and IE, writes all keystrokes on the keyboard, starts new processes with system rights and manages EFS I / O requests .

/ photo Christiaan Colen CC


Presumably, the virus has been operating since 2012, but for a long time it was not known about it, since Slingshot uses a set of techniques to hide its activities - these are anti-virus software detection systems, specialized solutions to complicate analysis and encryption.

Moreover, the virus turned out to be rather rare , which also made detection difficult: researchers recorded about 100 infected computers, most of which are in Africa and the Middle East: Kenya, Yemen, Afghanistan, Turkey, Iraq, Sudan, Jordan, etc. Most of the victims are individual users, however, government organizations are also on the list.

Kaspersky Lab notes that they were unable to find any connection with previously known APTs. However, some techniques and exploits (such as driver vulnerabilities) used by Slingshot have been spotted in malware such as Turla, Grayfish, and White Lambert. Experts say that virus signatures have now been determined, and MikroTik has already released a software update to block Slingshot.

PS Related Content from the First Corporate IaaS Blog: