It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
A nation-state developed a piece of malware so powerful that it can steal everything that’s happening on a computer without even being install on the target device itself. Instead, it resides on a router. It’s called Slingshot and it was recently discovered by Kaspersky Labs. Incredibly, the malware is so powerful and sophisticated that it hid in routers for six years before finally being spotted.
“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the researchers noted in their report.
After a router is infected, the malware would load a couple of “huge and powerful” modules on the target’s computer. That includes a kernel-mode module called Cahnadr, and a user-mode module called GollumApp. The two are then able to support each other to gather data, and then send it out to the attacker. The malware was probably used for spying purposes, as it was able to log desktop activity and clipboard data, as well as collect screenshots, keyboard data, network data, passwords, and data from USB devices.
The infected computers were located primarily in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania
Winbox Loader is a legitimate management tool designed by Mikrotik for Windows users to easily configure their routers that downloads some DLL files from the router and execute them on a system.
This way the malicious DLL file runs on the targeted computer and connects to a remote server to download the final payload, i.e., Slingshot malware.
originally posted by: Maxatoria
Its more aimed actually at harvesting the sysadmins details so they can nice and easily get into other systems of more interest like payroll/accounting/email etc with ease.
The exploit sounds like its probably also targeting systems that are probably unpatched for some exploit with crappy firewalls allowing the initial compromise.
The locations may or not be of too much relevance as it could be just that someone from the network team went over there for a job and used a PC there and thus got infected and then they got on a plane back to their office.
Its state level as its very target but could also be industrial espionage.
Cahnadr module, aka NDriver, takes care of anti-debugging, rootkit and sniffing functionality, injecting other modules, network communications—basically all the capabilities required by user-mode modules.
Whereas GollumApp is the most sophisticated module which has a wide range of spying functionalities that allow attackers to capture screenshots, collect network-related information, passwords saved in web browsers, all pressed keys, and maintains communication with remote command-and-control servers.
The researchers haven't discovered how Slingshot infects MikroTik routers to use the WinBox bridge to the PC, however they note in a technical paper that WikiLeaks' Vault 7 leak of CIA hacking tools did reference an exploit for MikroTik's router OS called ChimayRed.
According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector.
The malware appears to have been narrowly used with Kaspersky counting just 100 detections among its users between 2012 and February 2018.
piece of malware so powerful that it can steal everything that’s happening on a computer
originally posted by: badw0lf
originally posted by: stormcell
Especially if you don't read up on the problem, everything is very believable.