Researchers at Kaspersky Lab announced that they have detected a complex APT hacking group. The group has such sophisticated and clever hacking techniques that they been operating at least since 2012 without being noticed.
The attackers have used a malware called Slingshot that infects routers in order to compromise a huge volume of users in the Middle East and Africa.
Kaspersky Lab has recently published a report of the malware. According to the security vendor, the attackers exploited unidentified flaws in routes from a Latvian-based network hardware developer Mikrotik. The group exploited vulnerabilities as its first-level infection vector to secretly inject the espionage software into users’ devices.
Even though it is still unknown how this hacking group infected the routers, Kaspersky linked it to WikiLeaks Vault 7 CIA Leaks. The group has disclosed the ChimayRed exploit to infect Mikrotik routers. The ChimayRed exploit is now available on GitHub.
After the router is infected with the cyber-espionage threat, the hackers replace one of its dynamic link libraries or DDL file with a malicious one. The malicious file loads directly into the infected user’s system memory when the victim runs Winbox Loader software.
Winbox Loader is a legitimate software created by Mikrotik for Windows PC users. The management tool allows users to configure their routers easily. The routers download DDL files and execute them on a system. As a result, the malicious DDL runs on the system and links to a remote server. This way the final payload, Slingshot spyware is downloaded.
The malware combines two modules, including Cahnadr and GollumApp that are created to gather and persistence information, and data exfiltration.
Cahnadr or NDriver watch out for anti-debugging, rootkit, and sniffing functionality. According to Kaspersky
Cahnadr is a kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen—a remarkable achievement. Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection.
Meanwhile, GollumApp is a very complex module that includes a vast number of espionage features. It enables hackers to capture screenshots, gather network data, passwords, all typed keys, and even communicates with remote C2C servers.
GollumApp launches in kernel manner and is able to run new processes with system privileges. The spyware enables attackers control of the infected systems.
“Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable—and, to the best of our knowledge, unique,” according to Kaspersky.
The hacking group targeted individual users and some government institutions worldwide, including Yemen, Libya, Iraq, Jordan, Somalia, Turkey, Sudan, the United Arab Emirates and more.