Sci-tech

Hidden For 6 Years, 'Slingshot' Malware Hacks Your PC Through Your Router

Hidden For 6 Years, 'Slingshot' Malware Hacks Your PC Through Your Router

The researchers don't know precisely how Slingshot infected all of its targets, but in some cases the malicious app was planted inside MikroTik routers that Slingshot operators got access to. Analysis of the file showed that despite appearing legitimate, the scesrv.dll module had malicious code embedded into it. The researchers realised that a highly advanced intruder had found its way into the very core of the computer.

The report stated that the attack replaces a library file with a malicious version that downloads other malicious components.

After a router is infected, the malware would load a couple of "huge and powerful" modules on the target's computer. The method used to hack the routers in the first place remains unknown.

Kaspersky Lab said Slingshot uses two "masterpieces" - a kernel mode module named Cahnadr, and GollumApp, a user mode module. The two are then able to support each other to gather data, and then send it out to the attacker.

Slingshot's main objective seems to be cyberespionage.

When running in kernel mode, Slingshot can give attackers complete control of the system without any limitations whatsoever. Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more.

One incredibly sophisticated thing the malware did to hide its existence was to use an encrypted virtual file system located in an unused part of the hard drive. After that, Slingshot establishes an encrypted communication channel to the C&C and starts to transmit data for exfiltration over it.

"The development time, skill and cost involved in creating Slingshot's complex toolset is likely to have been extremely high".

After Perth, Ola drives into Sydney
Ola , a ride-hailer originally out of India, launched in Sydney Monday following its introduction in Perth last month. Since launch in Perth, the service has received a strong response from driver-partners with over 7,000 registrations.

The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in flawless English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Text clues in the code suggest it is English-speaking.

Slingshot's origin hasn't been confirmed, but has been speculated to be state-sponsored in that it is intended for a specific goal that it likely politically motivated rather than malicious intent to the everyday user.

Infected machines cropped up in the likes of Libya, Afghanistan, Jordan, the Congo, Sudan and Somalia, and appeared to target individuals on the whole. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.

Adding that the malware Slingshot may be a work of state-sponsored performer, the company said that, "Most of the victims appear to be targeted individuals rather than organizations, but there are some government organizations and institutions". Kenya and the Yemen account for most of the victims observed so far.

Researchers have uncovered new malware that has apparently been used to spy on victims in the Middle East and Africa for six years undetected. "This contains almost 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications".

The researchers note that owners of a MikroTik router and WinBox managing software should download the latest version of the program alongside updating the router itself to the latest version on its operating system. Kaspersky says it has given MikroTik all its information and that MikroTik's software no longer downloads anything from the users' routers to their computers.

If you spot early indicators of a targeted attack, consider managed protection services that will allow you to proactively detect advanced threats, reduce dwell time and arrange timely incident response.


  • Leucadia National Corp Purchases 23463 Shares of Oclaro Inc (NASDAQ:OCLR)

    Leucadia National Corp Purchases 23463 Shares of Oclaro Inc (NASDAQ:OCLR)

    Symmetry Peak Management Llc decreased Ishares Tr (Call) (IWM) stake by 130,000 shares to 20,000 valued at $2.96M in 2017Q3. The Public Sector Pension Investment Board holds 1.46M shares with $47.08 million value, up from 200,000 last quarter.
    Are only two teams seriously chasing Kirk Cousins?

    Are only two teams seriously chasing Kirk Cousins?

    It's also certainly possible that if the Vikings' whiff on Cousins, they could circle back on one of those guys. The Jets are on record saying they will do whatever it takes to land Cousins, but this is steep.
    Fire forces evacuation of school, some nearby homes

    Fire forces evacuation of school, some nearby homes

    Oregon Humane Society said those evacuating pets and needing a place to house them, should call the shelter at 503,285.7722. Firefighters expected to be at the scene overnight and into Tuesday morning to make sure the scene remained under control.
  • Kim North Korea talks: What's the big deal?

    Kim North Korea talks: What's the big deal?

    But it is still sticking to its principles of preferring a negotiated resolution to economic sanctions or military action. Dealing with the North Korea issue is one reason he decided Monday to cut short the trip by a day and return home .
    The Latest World Rankings Are Out & It's Good News For Ireland

    The Latest World Rankings Are Out & It's Good News For Ireland

    Why?" There were no more games and it was a massive celebration. "We'll have to look how we can be more clinical", stand-in captain Farrell said.
    2 men tried to rob Girl Scouts, Tacoma police say

    2 men tried to rob Girl Scouts, Tacoma police say

    A group of Girl Scouts were the victims of an attempted armed robbery in Tacoma, Washington. Two men in their 20s pulled a gun on the girls in an attempt to rob them.
  • Crossmark Global Holdings Inc. Decreases Stake in Kilroy Realty Corp (KRC)

    Boothbay Fund Mgmt Ltd Liability Company owns 5,774 shares for 0.07% of their portfolio. (NASDAQ:KPTI) for 265,121 shares. The stock of Kilroy Realty Corporation (NYSE:KRC) earned "Hold" rating by KeyBanc Capital Markets on Monday, October 23.

    Capital International Inc. CA Has $161000 Stake in Pfizer Inc. (PFE)

    Kevin Michael Ulrich decreased its stake in Pfizer Inc ( PFE ) by 1.69% based on its latest 2017Q3 regulatory filing with the SEC. News headlines about Pfizer (NYSE:PFE) have been trending somewhat positive on Monday, Accern Sentiment Analysis reports.
    Solar pips Yates to Paris-Nice overall victory

    Solar pips Yates to Paris-Nice overall victory

    Gorka Izagirre took bonus points in the first intermediate sprint of the day to jump above his brother and finish third overall, 14 seconds back.
  • Pub attack case: Forum wants govt. to appeal against verdict

    Pub attack case: Forum wants govt. to appeal against verdict

    Prominent among the accused were Hindu outfit leaders Pramod Muthalik, Prasad Attavar and Subhash Padil. Speaking to PTI over phone, Muthalik said "Through this verdict, we have got justice".
    SBI reduces charges for non-maintenance of average minimum balance

    SBI reduces charges for non-maintenance of average minimum balance

    RBI guidelines mandate that charges for non-maintenance of minimum balance in savings bank accounts be "reasonable". Also, accounts holders under the age of 21 were exempted.
    Time for new government to get to work

    Time for new government to get to work

    In Kyiv, EU foreign policy chief Federica Mogherini urged Ukraine to implement anti-corruption reforms demanded by worldwide creditors.