Slingshot malware uses cunning plan to find a route to sysadmins

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Advanced router code has been in circulation for six years

If you’re trying to hack an organization then pwning the sysadmin's machine gives you the keys to the kingdom, and an advanced malware writer has found a clever way to do just that.

The malware, dubbed Slingshot by researchers at Kaspersky Lab and showcased at the firm’s Security Analyst Summit, resides in Mikrotik routers – presumably on the principle that the only people who access the devices are an organization’s IT team. It’s not known how the malware gets onto the router, but it contains a malicious dynamic link library that’s capable of pulling in all kinds of nasty attack tools.


“Never seen this attack vector before, first hack the router and then go for sysadmin,” said Costin Raiu, Kaspersky’s director of global research and analysis. “We’ve seen a lot of attacks against sysadmins but sometimes it’s tricky to find them. This is a very good way to hack the sysadmin and get the keys to the kingdom – it’s a completely new strategy.”

The malware was discovered by accident. The team was analyzing a piece of keylogging code and decided to scan to see if it could be found elsewhere. The malware’s signature turned up in a seemingly innocent file on another computer labelled scesrv.dll.


In testing, once a computer links into the router’s configuration system, the malware activates and dumps a copy of itself onto the connecting PC and gains root access. It then downloads new modules, including two powerful pieces of code dubbed Cahnadr and GollumApp which can harvest screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data.

The malware tries very hard to stay under the radar using a selection of advanced techniques, including identifying the security software used and attempting different tactics to evade detection depending on the code protecting the PC, encrypting all strings in the malware and employing specific anti-debugging countermeasures.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top