santiago silver - Fotolia
Sophisticated malware used for cyber espionage in the Middle East and Africa from at least 2012 until February 2018 demonstrates yet another way that cyber criminals can target businesses.
The malware, dubbed Slingshot by the Kaspersky Lab security researchers who discovered it, attacks and infects victims through compromised MicroTik routers and can run in kernel mode, giving it complete control over victims’ devices.
According to researchers, many of the techniques used by this threat actor are unique, making Slingshot extremely effective at stealthy information gathering as it hides its traffic in marked data packets that it can intercept from everyday communications without trace.
The Slingshot operation was discovered after researchers found a suspicious keylogger program and created a behavioral detection signature to see if that code appeared anywhere else.
This led to the discovery of a suspicious file inside a system folder named scesrv.dll, and analysis of the file showed that despite appearing legitimate, the scesrv.dll module had malicious code embedded into it.
Because this library is loaded by “services.exe”, a process that has system privileges, the poisoned library gained the same rights, enabling a highly advanced intruder into the very core of the computer.
Further investigation revealed that victims had been infected through routers that had been compromised through a malicious dynamic link library inside them that was a downloader for malicious components.
The router’s management software downloads and runs the malicious module when an administrator logs in to configure the compromised router, the researchers said, but the method used to compromise the MicroTik routers in the first place remains unknown.
After infection of the administrator’s computer, Slingshot loads a number of modules, including Cahnadr and GollumApp, which are connected and able to support each other in information gathering, persistence and data exfiltration, the researchers found.
Slingshot’s main purpose, they said, seems to be cyber espionage because it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more. The malware’s kernel access means it can steal whatever it wants, the researchers said.
The advanced, persistent threat (APT) also incorporates a number of techniques to help it evade detection, including encrypting all strings in its modules, using a number of anti-debugging techniques, and selecting which process to inject depending on what security controls are in place.
Slingshot is designed to work as a “passive backdoor”, the researchers said, because it does not have a hardcoded command and control (C&C) address, but obtains it from the operator by intercepting all network packages in kernel mode and checking to see if there are two hard-coded “magic constants” in the header. If this is the case, it means that package contains the C&C address.
After that, Slingshot establishes an encrypted communication channel to the C&C and starts to transmit data for exfiltration over it, the researchers said.
The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high, the researchers said, indicating that the group behind Slingshot is likely to be highly organised, professional and probably state-sponsored.
Text clues in the code suggest the group behind Slingshot is English-speaking, but the researchers note that accurate attribution is always difficult, if not impossible to determine, and increasingly prone to manipulation and error.
“Slingshot is a sophisticated threat, employing a wide range of tools and techniques, including kernel mode modules that have, to date, only been seen in the most advanced predators,” aid Alexey Shulmin, lead malware analyst at Kaspersky Lab. “The functionality is very precious and profitable for the attackers, which could explain why it has been around for at least six years.”
Although the researchers have seen only about 100 victims of Slingshot and its related modules, and most of them appear to be targeted individuals, businesses need to take note and take precautions, say security commentators.
“Domestic connections and users typically offer a low defence and, as a result, criminals will target them at home,” said Matt Walmsley, director for Europe, Middle East and Africa at security firm Vectra.
“Dropping an APT onto users at home will give them a beeline into an organisation – having them innocently walk the compromised PC into the work environment, bypassing any perimeter defences.
“Mobility and BYOD [bring your own device] all bring risks which require the rapid detection and response to the subtle indicators of compromise inside the corporate network. Most organisations have perimeter defences, and some kind of antivirus end-point on their corporately controlled PCs. However, many organisations remain blind to nefarious activity that is happening across their internal network as attackers orchestrate, recon, move, escalate privileges and steal or manipulate data.”
The fact that Slingshot is a six-year-old campaign shows that the threat detection gap is alive and well, particularly for advanced attacks, said Walmsley.
Although traditional signature-based approaches are useless at spotting previously unseen and unknown threats, there are multiple ways to spot previously unseen APTs, he said.
“A behaviour-based approach is required to spot the very weak signals of compromise that identify post-intrusion attacker activity within the network, but this can be a laborious and slow, and delivers poor results if performed manually,” he said.
“Enterprises that recognise this ‘detection gap’ are increasingly moving to automated threat hunting tools that can operate autonomously. Using artificial intelligence [AI], businesses can detect hidden attacker behaviour, correlate and provide evidence, as well as pull context of the attack, and integrate it into the security incident response workflow to automate some or all of the response actions.
“In this regard, AI can then free up security analysts’ time to make quick, informed decisions while enabling an agile response to active threats, reducing attacker dwell time and, ultimately, business risk.”
Walmsley added: “Any defence is imperfect – that is why enterprises need to build up their detection and response capabilities to ensure they have an adaptive security architecture that defends against what it can, and quickly detects and responds to what it cannot.”
He said Slingshot underlines the need for product developers to manage their digital supply chain risk and to ensure that software libraries and modules used in their products are not compromised or that any compromise can be detected. To defend against this type of attack, end-user organisations should ensure they are always using the latest versions of code to reduce the risk of known vulnerabilities, he said.
Kaspersky Lab recommends that:
- MikroTik routers users should upgrade to the latest software version as soon as possible.
- Businesses use a proven corporate-grade security system in combination with anti-targeted attack technologies and threat intelligence.
- Organisations provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention.
- If businesses spot early indicators of a targeted attack, they consider managed protection services to detect advanced threats, reduce dwell time and enable timely incident response.