What Is It?
While working on a malware incident in February 2018, controversial Russian anti-virus firm Kaspersky Labs discovered a sophisticated piece of malware, which led them to identify additional samples that are the very definition of an Advanced Persistent Threat (APT).
The APT malware, named Slingshot based on strings found in the code, uses a unique and highly-targeted attack vector in order to compromise systems belonging to highly privileged users. An indication of the sophistication and success of this APT is that it has remained undetected in the wild for a period believed to be at least 6 years.
Kaspersky observed nearly one hundred infections in Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Congo, Turkey, Sudan and the United Arab Emirates, with the majority in Kenya and Yemen. Based on text found within the code, Kaspersky believes that the creators are native English speakers, though this is often difficult to ascertain. It also believes that APT’s overall sophistication points in the direction of nation state actors.
The malware is installed into routers specifically made by a Latvian company named Mikrotik. It isn’t currently known how the malware is initially placed on the router, however it could be due to an unknown (zero-day) vulnerability in the router’s firmware or potentially the use of default credentials.
When a system or network administrator responsible for administering the router logs into it, they become infected. In this way, the malware infects an attacker’s ideal user, one with access to numerous key systems and infrastructure within a corporate environment. Once installed on an administrator’s system, the APT downloads additional malware capable of taking screenshots, logging keystrokes, acquiring network data and capturing passwords, the contents of USB devices and clipboard contents. However, as the malware has full access to the kernel (also known as ring-0), which is extremely difficult to achieve without causing the dreaded “blue screen of death,” Slingshot could potentially access other sensitive data such as stored password hashes and credit card details.
As demonstrated by the amount of time this APT has gone unnoticed, the malware uses sophisticated techniques to remain undetected, including shutting down its components when it detects tools or techniques suggesting forensic or malware analysis. Similar to previous APTs, Slingshot utilizes its own custom, encrypted filesystem located in unused space on the hard drive.
How Does It Propagate?
The initial infection vector is not currently known, though it is not believed the malware self-propagates.
The malware infects the systems of administrators logging into infected Mikrotik routers.
When/How Did BluVector Detect It?
Not all samples referenced in the report are currently publically available, however, four samples were retrieved and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Though the samples have only just become available after being discovered in February 2018, they are believed to have been hidden in the wild for at least six years, predating public release of BluVector. However, regression testing on the four samples has shown they would have been detected up to 34 months ago.