Kaspersky Lab security experts alerted of a cyber espionage group whose members have been attacking users in the Middle East and Africa via their routers. According to the researchers, this espionage group has been active since at least 2012, and its most recent attacks were spotted last month.
Approximately 100 Slingshot victims have been identified so far, most of them located in Kenya and Yemen, however, there were also targets registered in Afghanistan, Congo, Libya, Turkey, Jordan, Sudan, Iraq, Tanzania, and Somalia.
The malware campaign is generally focused on individual users, although the researchers have also spotted attacks targeting government organizations as well as some internet cafés.
The main piece of malware which hackers use is called Slingshot, and it is based on internal strings discoverd by security analysts. This malware is known for infecting computers via compromised routers, specifically ones made by Mikrotik, Latvia.
Currently, there is no information on the way the targeted routers get compromised, however, according to Kaspersky experts the WikiLeaks Vault7 files do include a Mikrotik exploit.
The vendor says that they have patched the vulnerability leveraged by the Vault7 exploit and it’s not clear if the hackers currently use the initial vector.
As soon as the attackers gain access to a router, they can abuse a legitimate piece of software named WinBox – this is a management tool provided by Mikrotik that downloads some DLL files from the router and loads them directly into the PC’s memory.
By abusing the above-mentioned functionality, the Slingshot criminals can deliver the malware to the targeted router’s administrator.
Basically, the malware is a first-stage loader which replaces legitimate DLL files in Windows with malicious versions that have the exact same size. The malicious DLLs are loaded by the services.exe process, which has SYSTEM privileges.
The main modules downloaded by Slingshot are called Cahnadr and GollumApp. Cahnadr, also known as Ndriver, is a kernel-mode payload providing all the capabilities required by user-mode modules, including anti-debugging, rootkit functionality, injecting modules into the services.exe process, network communications, and sniffing capabilities for various protocols.
GollumApp is the main user-mode module created to manage other user-mode modules while constantly interacting with Cahnadr. It includes a wide range of spying-focused functionality allowing hackers to capture screenshots, log keystrokes, collect system and network data, harvest passwords, manipulate clipboard data, run new processes with SYSTEM privileges, and inject other malicious modules into a specified process. In addition, the malware lets hackers gain full control of the infected computer.
Slingshot tries to escape detection by using different methods, including calling system services directly in an effort to bypass security product hooks, encrypting strings in its modules, and selectively injecting processes depending on what security product is present.
Besides, the malware employs some sophisticated techniques when it comes to command and control (C&C) communications – it hides its traffic in legitimate communication protocols, keeping an eye out for packets that contain a special mark.
Based on all the analysis so far, Kaspersky Lab claims that this is a state-sponsored cyber espionage campaign, and its level of sophistication rivals the level of Regin and ProjectSauron threat actors.