Slingshot APT: Riding on a hardware Trojan horse

March 9, 2018

One of the most interesting revelations from our researchers at Kaspersky Security Analyst Summit (SAS) this year was a report on a highly sophisticated cyberespionage campaign called Slingshot.

Attack vector

The first part to understand is the means of infection. What makes this initial attack vector unique is that, according to our research, many victims were attacked through compromised routers made by MikroTik. Routers download and run various DLL files in the normal course of business. Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs. The bad DLL was a downloader for various malicious files, which were also stored in the router.

What makes this initial attack vector unique is that, according to our research, many victims were attacked through compromised routers made by MikroTik

Here we need to add that we reported this issue to router manufacturer, and MikroTik has already dealt with this problem. However, our experts believe that MikroTik not the only brand used by Slingshot actors — there may be other compromised devices.

Another interesting aspect of Slingshot is a trick it uses to run malware in kernel mode. In updated operating systems that is almost impossible, but this malware searches computers for signed vulnerable drivers, and uses them to ran its own code.

Malicious instruments

Among the malware Slingshot used were two masterpieces: a kernel mode module called Cahnadr and GollumApp, a user mode module.

Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer. Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions.

Thanks to those modules, Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more. And all without exploiting any zero-day vulnerabilities. At least, our experts have not found Slingshot using them yet.

Antidetection mechanism

What makes Slingshot really dangerous is the numerous tricks its actors use to avoid detection. It can even shut down its components when it detects signs that might indicate forensic research. Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive. You can find more details about Slingshot on Securelist.

How to cope with APTs like Slingshot

If you use a MikroTik router and WinBox managing software, download the latest version of the program and make sure the router has been updated to the latest version of its OS. However, updates save you from just one attack vector, not from the APT itself.

To protect your business against sophisticated targeted attacks, you need to implement a strategic approach. We offer the Threat Management and Defense platform. It consists of the Kaspersky Anti Targeted Attack platform, our new Kaspersky Endpoint Detection and Response solution, and expert services.

Kaspersky Anti Targeted Attack allows you to find anomalies in network traffic, isolate suspicious processes, and look for correlations between events. Kaspersky Endpoint Detection and Response serves to aggregate and visualize the collected data. And, thanks to our expert services, you can receive aid at any time in case of particularly difficult incidents, train your monitoring center staff, and raise awareness of the company’s employees overall. More details about this solution are here.