Undetected for 6 years, sophisticated malware can spy on PCs through your router - Slingshot

Undetected for 6 years, sophisticated malware can spy on PCs through your router

A nation-state developed a piece of malware so powerful that it can steal everything that’s happening on a computer without even being install on the target device itself. Instead, it resides on a router. It’s called Slingshot and it was recently discovered by Kaspersky Labs. Incredibly, the malware is so powerful and sophisticated that it hid in routers for six years before finally being spotted.

An interesting new vector for malware. Placing the malware on the router allows for a greater level of traffic inspection with less likelihood of detection.

“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the researchers noted in their report.
After a router is infected, the malware would load a couple of “huge and powerful” modules on the target’s computer. That includes a kernel-mode module called Cahnadr, and a user-mode module called GollumApp. The two are then able to support each other to gather data, and then send it out to the attacker. The malware was probably used for spying purposes, as it was able to log desktop activity and clipboard data, as well as collect screenshots, keyboard data, network data, passwords, and data from USB devices.

So the router would then infect machines that were networked to it. It is interesting the countries where these infections were found...

The infected computers were located primarily in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania

My guess is that this could have been built by the same actors that came up with Stuxnet, but not for the same purposes, of course. Top of my list would be the US and Israel who have long been accused of inventing the Stuxnet malware.

a reply to: BomSquad In the past I would think that this could only be created by some 3 letter agency. With the current technology being available a damn 13 year old could do it with know how.

I was recently warned of this and even told that many ole virus can be used effectively in this manner. All gadgets will then be infected and it just replaces the virus after the system cleans the device. rinse and repeat

Its more aimed actually at harvesting the sysadmins details so they can nice and easily get into other systems of more interest like payroll/accounting/email etc with ease.

The exploit sounds like its probably also targeting systems that are probably unpatched for some exploit with crappy firewalls allowing the initial compromise.

The locations may or not be of too much relevance as it could be just that someone from the network team went over there for a job and used a PC there and thus got infected and then they got on a plane back to their office.

Its state level as its very target but could also be industrial espionage.

a reply to: BomSquad

I don't see in the op which "nation state" developed it.

Sounds like CIA BS.

originally posted by: IgnoranceIsntBlisss
a reply to: BomSquad

I don't see in the op which "nation state" developed it.

Sounds like CIA BS.

Could be, there's a lot of terrorist training stuff in the targeted areas.

Very believable. I've got a firewall/router supplied by my telephone company. Now some ISP's/broadband providers let you use your own wi-fi router to connect to their network by giving you a username/password that you use to set up A(DSL). However, my own doesn't and requires me to use their router. There are some naughty ways you can get the username/password combo off the device, such as connecting another PC to the WLAN port that they taped off. I did this and discovered they were sending my admin password back upstream to their HQ.

Running wireshark on the general traffic, and the router is always polling to see what device are at which addresses.

a reply to: BomSquad

It appears to only affect Mikrotik routers that use a system called Winbox Loader, which purposely downloads software from the router to allow access to the router.

Very different to almost every sort of router people have.

Stop wringing your hands in the air people. You're not at risk.

Winbox Loader is a legitimate management tool designed by Mikrotik for Windows users to easily configure their routers that downloads some DLL files from the router and execute them on a system.

This way the malicious DLL file runs on the targeted computer and connects to a remote server to download the final payload, i.e., Slingshot malware.

I've never heard of a Mikrotik router, and apparently it is used in the middle east and Africa. If you're in the mid east or Arfica, buy a proper router, I'd suggest.

originally posted by: stormcell
Very believable.

Especially if you don't read up on the problem, everything is very believable.

originally posted by: Maxatoria
Its more aimed actually at harvesting the sysadmins details so they can nice and easily get into other systems of more interest like payroll/accounting/email etc with ease.

The exploit sounds like its probably also targeting systems that are probably unpatched for some exploit with crappy firewalls allowing the initial compromise.

The locations may or not be of too much relevance as it could be just that someone from the network team went over there for a job and used a PC there and thus got infected and then they got on a plane back to their office.

Its state level as its very target but could also be industrial espionage.

Why won't anyone read up on it? It does more than just harvest sysadmin details...

Cahnadr module, aka NDriver, takes care of anti-debugging, rootkit and sniffing functionality, injecting other modules, network communications—basically all the capabilities required by user-mode modules.

Whereas GollumApp is the most sophisticated module which has a wide range of spying functionalities that allow attackers to capture screenshots, collect network-related information, passwords saved in web browsers, all pressed keys, and maintains communication with remote command-and-control servers.

It targets a specific type of router that works in a specific way and isn't some random virus that you can catch and infect others with.

a reply to: howtonhawky

bloody hell.......

Run to the hills everyone, the boogey man virus is coming !!!111

Spy malware secrets: How complex 'Slingshot' hit targets via hacked routers

The researchers haven't discovered how Slingshot infects MikroTik routers to use the WinBox bridge to the PC, however they note in a technical paper that WikiLeaks' Vault 7 leak of CIA hacking tools did reference an exploit for MikroTik's router OS called ChimayRed.

According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector.

The malware appears to have been narrowly used with Kaspersky counting just 100 detections among its users between 2012 and February 2018.

So while it sounds interesting, the number of infections over 6 years almost sound like they were specifically targeted as opposed to random infection.

What did we learn here?

Keep your firmware up to date, and if you're smart you'd stay away from consumer grade equipment from companies like Netgear altogether.

piece of malware so powerful that it can steal everything that’s happening on a computer

Oh! For a minute there I thought you were talking about the Internet.

But seriously, I've been assuming my router was up to no good for much longer than six years. Router firmware is notoriously buggy and notoriously unpatched, especially from any of the big router-producing companies that sell their warez at Best Buy, Staples and Walmart.

But baloney that Kapersky just discovered it now..

I rather suspect they were just pre-empting the likelihood of disclosure in the near future from some other quarter, and wanted to be the first [and "legit"] one to take credit.

originally posted by: badw0lf

originally posted by: stormcell
Very believable.

Especially if you don't read up on the problem, everything is very believable.

I read the article. Microtik are a Latvian company who make their own board and OS (ReactOS).

In-depth analysis of the code:
s3-eu-west-1.amazonaws.com...

a reply to: BomSquad

Would love to claim I'm surprised but these things have had backdoors and security exploits around since they rolled off the factory floor.

And by design no less!