What Is It?
While working on a malware incident in February 2018, controversial Russian anti-virus firm Kaspersky Labs discovered a sophisticated piece of malware, which led to them to identify additional samples which are the very definition of an Advanced Persistent Threat (APT).
The APT malware, named Slingshot based on strings found in the code, uses a unique and highly-targeted attack vector in order to compromise systems belonging to highly privileged users. An indication of the sophistication and success of this APT is that it has remained undetected in the wild for a period believed to be at least 6 years.
Kaspersky observed nearly one hundred infections in Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Congo, Turkey, Sudan and the United Arab Emirates, with the majority in Kenya and Yemen. Based on text found within the code, Kaspersky believes that the creators are native English speakers, though this is often difficult to ascertain as most English speakers common use of colloquial language. They also believe the APT’s overall sophistication points in the direction of nation state actors.
The malware is installed into routers specifically made by a Latvian company named Mikrotik. It isn’t currently known how the malware is initially placed on the router, however it could be due to an unknown (zero-day) vulnerability in the router’s firmware or potentially use of default credentials.
When a system or network administrator responsible for administering the router logs into it, they become infected. In this way, the malware infects an attacker’s ideal user, one with access to numerous key systems and infrastructure within a corporate environment. Once installed on an administrator’s system, the APT downloads additional malware capable of taking screenshots, logging keystrokes, acquiring network data and passwords, the contents of USB devices and clipboard contents. However, as the malware has full access to the kernel (also known as ring-0), which is extremely difficult to achieve without causing the dreaded “blue screen of death,” Slingshot could potentially access other sensitive data such as stored password hashes and credit card details.
As demonstrated by the time this APT has gone unnoticed for, the malware uses sophisticated techniques to remain undetected, including shutting down its components when it detects tools or techniques suggesting forensic or malware analysis. Similar to previous APTs, slingshot utilizes its own custom, encrypted filesystem located in unused space on the hard drive.
How Does It Propagate?
The initial infection vector is not currently known, though it is not believed the malware self-propagates.
The malware infects the systems of administrators logging into infected Mikrotik routers.
When/How Did BluVector Detect It?
Not all samples referenced in the report are currently publically available, however four samples were retrieved and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Though the samples have only just become available, after only being discovered in February 2018, they are believed to have been hidden in the wild for at least 6 years, predating public release of BluVector. However, regression testing on the four samples has shown they would have been detected up to 34 months ago.
About Threat Report
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.