Malware that stayed hidden for 6 years spread via routers

Malware that stayed hidden for 6 years spread via routers

The cunning design allows it to gain access to the sysadmin's machine without actually installing itself there in the first place.

MALWARE HAS BEEN LURKING in routers undiscovered for six years yet stealthily managed to infect at least 100 computers across the globe.

Perhaps one of the most interesting aspects of this malware is its ability to go undetected.

Kaspersky's researchers claim Slingshot malware was part of a highly sophisticated attack platform that rivals the Reign and Project Sauron malware, suspected of being developed by nation-state sponsored actors.

"The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform", Kaspersky Lab researchers said.

Kaspersky believes most victims of Slingshot were "initially infected through a Windows exploit or compromised Mikrotik routers".

The Slingshot router malware was discovered by accident. The company also added that the Winbox Loader is not able to download anything anymore from routers to a user's system with the most recent version rather reducing the threats.

The loader ingeniously communicates back to the router to download the more unsafe components of the payload (the router basically acts as the hacker's Command and Control (CnC) server).

That includes a kernel-mode module called Cahnadr, and a user-mode module called GollumApp. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.

One of the most remarkable things about Slingshot is its unusual attack vector. Despite being in the wild since 2012 - and still being in operation during the last month - Slingshot has, until now, avoided detection.

One incredibly sophisticated thing the malware did to hide its existence was to use an encrypted virtual file system located in an unused part of the hard drive.

The main goal of this malware does seem to be counter-espionage, Kaspersky notes patterns consistent with other such examples, but because it operates in kernel there are no limitations to the information it can collect. Credit card numbers, password hashes and identification codes (such as social security numbers), are just a few examples, but it is essentially any dataset. The malware also actively avoids scans by security software by calling its services directly and shutting down components when it detects active forensic tools. However, we would tenuously speculate that the malware may have come from Western state-actors and was used to snoop on nations known to be hotspots of conflict, insurgency, or illicit activity. The malware has been linked to victims in at least 11 countries.

The infected computers were located primarily in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania. Interestingly enough, the vast majority of these instances are individuals not organizations or governments (though there are a few examples of the latter two). For the time being, Kaspersky has been unwilling to point fingers.

Kaspersky didn't speculate as to why machines in these nations were targeted, but the organisation noted that debug messages were written in flawless English. The fact that it contains ideal English may implicate the NSA, CIA, or GCHQ.

Apparently, the Slingshot may have used other methods, including zero-day vulnerabilities, to spread. Text clues in the code suggest it is English-speaking; however, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.

What can users of Mikrotik routers do?

MikroTik has been informed and fixed the issue, but Kaspersky believes this is not the only brand which was used during the campaign.

Related Articles

  • Magnetic storm lesser known facts: How is it caused and other FAQs

    Magnetic storm lesser known facts: How is it caused and other FAQs

    However, according to NOAA, on the 18, people are most likely to experience a G1 which stands for a minor geomagnetic storm. While solar storms have the potential to be risky , they are by and large harmless to the average person.
    U.S.  spends twice as much as other wealthy countries on health care

    U.S. spends twice as much as other wealthy countries on health care

    The American numbers for physician and nursing workforce and number of hospital beds were similar to the other nations. High health-care spending in the USA does not translate to better health outcomes, the report found.
    Man United sink Liverpool, unsavoury scenes at West Ham

    Man United sink Liverpool, unsavoury scenes at West Ham

    He's got good people around him. "He is doing well, he has come in and he has got the right mentality and he has shown the manager what he can do".
  • Supporters drop knowledge on Dejan Lovren after veiled dig at Manchester United

    Supporters drop knowledge on Dejan Lovren after veiled dig at Manchester United

    The game, which is being broadcast on Sky Sports , will have a huge influence on who finishes second in the Premier League . "There are 11 players that start, it's just one of those things".

    Clearbridge Investments LLC Acquires 9451 Shares of Ross Stores, Inc. (ROST)

    Everence Capital Management stated it has 0.09% of its portfolio in Ross Stores, Inc . (NASDAQ: ROST ) for 4.80 million shares. It improved, as 49 investors sold EL shares while 211 reduced holdings. 111 funds opened positions while 645 raised stakes.
    Buveur D'Air successfully defends his Unibet Champion Hurdle Crown

    Buveur D'Air successfully defends his Unibet Champion Hurdle Crown

    In the opening Supreme Novice Hurdle, Summerville Boy ran out a narrow victor with a great ride from Noel Fehily. Henderson, saddling his seventh Champion Hurdle victor , said: "It was a good race, a proper race".
  • Twitch Launches 'Free Games With Prime' Program For Subscribers

    Twitch Launches 'Free Games With Prime' Program For Subscribers

    If you're an Amazon Prime subscriber and don't take advantage of Twitch Prime, now is a good time to connect your accounts. Some games have already been offered for free by the service, such as Superhot and Oxenfree , while Hotline Miami-like Mr.

    Ford Motor (F) Insider Sells 31415 Shares of Stock

    Finally, Personal Capital Advisors Corp purchased a new position in shares of Ford Motor in the 4th quarter valued at $128,000. ValuEngine upgraded shares of Ford Motor from a "hold" rating to a "buy" rating in a research report on Friday, December 1st.
    Jake Arrieta Rumors: Phillies 'Moving Close' to Contract Agreement with Pitcher

    Jake Arrieta Rumors: Phillies 'Moving Close' to Contract Agreement with Pitcher

    Three consecutive NLCS appearances, two NL Central titles, and a World Series championship ... the first in 108 years. Nothing the Phillies spent this offseason will limit them next winter.
  • Ex-boyfriend arrested in connection with SUNY Binghamton student's death

    Ex-boyfriend arrested in connection with SUNY Binghamton student's death

    Tercero is a citizen of the United States, but if he also has citizenship in Nicaragua he might not be extradited back to the U.S. Earlier this week, Binghamton Police said they believe Tercero had left on a flight from JFK in NY to Nicaragua last Friday.
    Trump considering Rick Perry to take over VA

    Trump considering Rick Perry to take over VA

    However, Kelly was reportedly blindsided when Shulkin later spoke with The New York Times about the issues within the VA. The current VA secretary, David Shulkin , is under fire for taking a taxpayer-funded trip to Europe previous year .
    Jets to sign Teddy Bridgewater

    Jets to sign Teddy Bridgewater

    They still hold the No. 6 pick in the draft and could very well use it on a quarterback to sit behind McCown and Bridgewater. McCown started 13 games for the Jets in 2017, throwing for 2,926 yards with 18 touchdowns and nine interceptions.