If you’re trying to hack an organization then pwning the sysadmin's machine gives you the keys to the kingdom, and an advanced malware writer has found a clever way to do just that.
The malware, dubbed Slingshot by researchers at Kaspersky Lab and showcased at the firm’s Security Analyst Summit, resides in Mikrotik routers – presumably on the principle that the only people who access the devices are an organization’s IT team. It’s not known how the malware gets onto the router, but it contains a malicious dynamic link library that’s capable of pulling in all kinds of nasty attack tools.
“Never seen this attack vector before, first hack the router and then go for sysadmin,” said Costin Raiu, Kaspersky’s director of global research and analysis. “We’ve seen a lot of attacks against sysadmins but sometimes it’s tricky to find them. This is a very good way to hack the sysadmin and get the keys to the kingdom – it’s a completely new strategy.”
The malware was discovered by accident. The team was analyzing a piece of keylogging code and decided to scan to see if it could be found elsewhere. The malware’s signature turned up in a seemingly innocent file on another computer labelled
In testing, once a computer links into the router’s configuration system, the malware activates and dumps a copy of itself onto the connecting PC and gains root access. It then downloads new modules, including two powerful pieces of code dubbed Cahnadr and GollumApp which can harvest screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data.
The malware tries very hard to stay under the radar using a selection of advanced techniques, including identifying the security software used and attempting different tactics to evade detection depending on the code protecting the PC, encrypting all strings in the malware and employing specific anti-debugging countermeasures.
The malware also appears to have had a long lifespan – the code was tagged as Version 6.x and text notes in the software suggest it was developed by an English speaker. Kaspersky thinks that the amount of time and money it would have taken to write Slingshot strongly suggests it was developed by a nation state.
Slingshot is also relatively rare, which also helps keep it under the radar. The researchers found only around 100 infections and the vast majority were in Africa and the Middle East, with Kenya and Yemen showing the most compromised systems. Slingshot has been in circulation since 2012.
Signature files for the malware have now been issued and Mikrotik has updated its code to block Slingshot. System administrators are advised to update the firmware as soon as possible – use a burner PC to do it, just to be safe. ®