Kaspersky uncovers malware attacking through routers

Kaspersky uncovers malware attacking through routers

Kaspersky uncovers malware attacking through routers

"Slingshot is a sophisticated threat, employing a wide range of tools and techniques, including kernel mode modules that have to date only been seen in the most advanced predators", said Alexey Shulmin, lead malware analyst, Kaspersky Lab.

Perhaps one of the most interesting aspects of this malware is its ability to go undetected. The researchers also include the possibilities of victim's getting infected through a Windows exploit. Slingshot's code suggests that its developers speak English language and it's believed that some organized state-sponsored actor hacker group fuels the malware.

Kaspersky doesn't have any specifics of how Slingshot appeared on MikroTik routers, but it looks like the router's Winbox configuration utility was exploited to load dynamic link library files.

Slingshot appeared to spread via routers produced by Latvian company MikroTik, although Kaspersky has noted that other techniques - such as the exploitation of zero-day vulnerabilities - could have helped spread the threat.

The loader ingeniously communicates back to the router to download the more risky components of the payload (the router basically acts as the hacker's Command and Control (CnC) server).

Tim Tebow cut by Mets, sent down to minor league camp
Tebow, an outfielder, can appear in games for NY but would have to be brought over from the minor league side. In Grapefruit League play , Tebow got off to a rough start picking up just one hit in 18 at-bats.

"Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module". The two are then able to support each other to gather data, and then send it out to the attacker. According to Kaspersky, a cluster of activity from the Slingshot campaign "started in at least 2012", so it's been around for at least six years.

One of the most remarkable things about Slingshot is its unusual attack vector.

One incredibly sophisticated thing the malware did to hide its existence was to use an encrypted virtual file system located in an unused part of the hard drive.

As such, Slingshot looks like it may have been produced for the objective of espionage rather than money-making.

That's likely why a nation-state is behind the attack.

Browns Look to Sign Nate Solder
Other options on the offensive line for the Giants in free agency are Ryan Jensen, Josh Sitton, Joe Berger and Nick Easton. After last week's trade frenzy , the Cleveland Browns are looking to make some noise on the free-agent market.

The malware also uses many tricks to avoid detection, including shutting down its components when it detects forensic research.

Over half the compromised computers were in Kenya and Yemen, with the remainder in Libya, Afghanistan, Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and United Arab Emirates.

The majority of those targets appear to have been individuals. Most of the victims appear to be targeted individuals, rather than organizations, but, there are some government organizations and institutions. For now, nobody is sure who controls the sophisticated payload.

This guesswork is given a little more credence given that Kaspersky's researchers noted that debug messages were written in ideal English.

At this point, most of the Slingshot victims found by Kaspersky are based in African and Middle Eastern countries. The fact that it contains flawless English may implicate the NSA, CIA, or GCHQ. This is nearly impossible do to in updated operating systems, though Slingshot manages the feat by searching computers for signed vulnerable drivers, and then uses them to run its own malicious code. Text clues in the code suggest it is English-speaking; however, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error. Users of Mikrotik routers must update to the newest software version as soon as possible to ensure protection against Slingshot. MikroTik has been informed and fixed the issue, but Kaspersky believes this is not the only brand which was used during the campaign.

After Indian diplomats targeted, Pakistan puts out Delhi incident video
The video shows a white Maruti auto driving slowly, in front of the Pakistan diplomat's vehicle , blocking the way. The Pakistanis claimed the incident took place while the diplomat was returning to his home in Vasant Vihar.

Latest News