Security researchers at Kaspersky have identified a sophisticated APT hacking group that will has been operating since at least 2012 without being noticed due to their complex along with clever hacking techniques.
The hacking group used a piece of advanced malware—dubbed Slingshot—to infect hundreds of thousands of victims inside the Middle East along with Africa by hacking into their routers.
According to a 25-page report published [PDF] by Kaspersky Labs, the group exploited unknown vulnerabilities in routers coming from a Latvian network hardware provider Mikrotik as its first-stage infection vector in order to covertly plant its spyware into victims’ computers.
Although that will is actually unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks, which revealed the ChimayRed exploit, today available on GitHub, to compromise Mikrotik routers.
Once the router is actually compromised, the attackers replace one of its DDL (dynamic link libraries) file which has a malicious one coming from the file-system, which loads directly into the victim’s computer memory when the user runs Winbox Loader software.
Winbox Loader is actually a legitimate management tool designed by Mikrotik for Windows users to easily configure their routers that will downloads some DLL files coming from the router along with execute them on a system.
This kind of way the malicious DLL file runs on the targeted computer along with connects to a remote server to download the final payload, i.e., Slingshot malware.
Slingshot malware includes two modules—Cahnadr (a kernel mode module) along with GollumApp (a user mode module), designed for information gathering, persistence along with data exfiltration.
Cahnadr module, aka NDriver, takes care of anti-debugging, rootkit along with sniffing functionality, injecting additional modules, network communications—basically all the capabilities required by user-mode modules.
“[Cahnadr is actually a] kernel-mode program is actually able to execute malicious code without crashing the whole file system or causing Blue Screen—a remarkable achievement,” Kaspersky says in its blog post published today.
“Written in pure C language, Canhadr/Ndriver provides full access to the hard drive along with operating memory despite device security restrictions, along with carries out integrity control of various system components to avoid debugging along with security detection.”
Whereas GollumApp is actually the most sophisticated module which carries a wide range of spying functionalities that will allow attackers to capture screenshots, collect network-related information, passwords saved in web browsers, all pressed keys, along with maintains communication with remote command-along with-control servers.
Since GollumApp runs in kernel mode along with can also run brand new processes with SYSTEM privileges, the malware gives attackers full control of the infected systems.
Although Kaspersky has not attributed This kind of group to any country yet based on clever techniques that will used along with limited targets, the security firm concluded that will that will is actually definitely a highly skilled along with English-speaking state-sponsored hacking group.
“Slingshot is actually very complex, along with the developers behind that will have clearly spent a great deal of time along with money on its creation. Its infection vector is actually remarkable—along with, to the best of our knowledge, unique,” the researchers say.
The victims include most of the times individuals along with some government organizations across various countries including Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan along with the United Arab Emirates.