Sci-tech

Hidden For 6 Years, 'Slingshot' Malware Hacks Your PC Through Your Router

Hidden For 6 Years, 'Slingshot' Malware Hacks Your PC Through Your Router

The researchers don't know precisely how Slingshot infected all of its targets, but in some cases the malicious app was planted inside MikroTik routers that Slingshot operators got access to. Analysis of the file showed that despite appearing legitimate, the scesrv.dll module had malicious code embedded into it. The researchers realised that a highly advanced intruder had found its way into the very core of the computer.

The report stated that the attack replaces a library file with a malicious version that downloads other malicious components.

After a router is infected, the malware would load a couple of "huge and powerful" modules on the target's computer. The method used to hack the routers in the first place remains unknown.

Kaspersky Lab said Slingshot uses two "masterpieces" - a kernel mode module named Cahnadr, and GollumApp, a user mode module. The two are then able to support each other to gather data, and then send it out to the attacker.

Slingshot's main objective seems to be cyberespionage.

When running in kernel mode, Slingshot can give attackers complete control of the system without any limitations whatsoever. Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more.

One incredibly sophisticated thing the malware did to hide its existence was to use an encrypted virtual file system located in an unused part of the hard drive. After that, Slingshot establishes an encrypted communication channel to the C&C and starts to transmit data for exfiltration over it.

"The development time, skill and cost involved in creating Slingshot's complex toolset is likely to have been extremely high".

BBC urges United Nations to help protect rights of its Iranian staff
Since then, Tehran has repeatedly accused the broadcaster of violating Iran's security. The appeal is being made at a meeting of the UN Human Rights Council in Geneva.

The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in flawless English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Text clues in the code suggest it is English-speaking.

Slingshot's origin hasn't been confirmed, but has been speculated to be state-sponsored in that it is intended for a specific goal that it likely politically motivated rather than malicious intent to the everyday user.

Infected machines cropped up in the likes of Libya, Afghanistan, Jordan, the Congo, Sudan and Somalia, and appeared to target individuals on the whole. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.

Adding that the malware Slingshot may be a work of state-sponsored performer, the company said that, "Most of the victims appear to be targeted individuals rather than organizations, but there are some government organizations and institutions". Kenya and the Yemen account for most of the victims observed so far.

Researchers have uncovered new malware that has apparently been used to spy on victims in the Middle East and Africa for six years undetected. "This contains almost 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications".

The researchers note that owners of a MikroTik router and WinBox managing software should download the latest version of the program alongside updating the router itself to the latest version on its operating system. Kaspersky says it has given MikroTik all its information and that MikroTik's software no longer downloads anything from the users' routers to their computers.

If you spot early indicators of a targeted attack, consider managed protection services that will allow you to proactively detect advanced threats, reduce dwell time and arrange timely incident response.


  • Man Utd midfielder Lingard: Rashford always ready for starting call

    Lingard believes the whole United squad is in a good place at the moment after three consecutive wins, including two comebacks. Jesse Lingard has told Marcus Rashford that the chances will come for him at Manchester United as long as he is patient.
    Qalandars beat Karachi in Super Over thriller

    Qalandars beat Karachi in Super Over thriller

    A spectator waves the national flag of Pakistan while watching with others the final match of World XI cricket series in Lahore, Pakistan September 15, 2017.
    Leucadia National Corp Purchases 23463 Shares of Oclaro Inc (NASDAQ:OCLR)

    Leucadia National Corp Purchases 23463 Shares of Oclaro Inc (NASDAQ:OCLR)

    Symmetry Peak Management Llc decreased Ishares Tr (Call) (IWM) stake by 130,000 shares to 20,000 valued at $2.96M in 2017Q3. The Public Sector Pension Investment Board holds 1.46M shares with $47.08 million value, up from 200,000 last quarter.
  • SBI reduces charges for non-maintenance of average minimum balance

    SBI reduces charges for non-maintenance of average minimum balance

    RBI guidelines mandate that charges for non-maintenance of minimum balance in savings bank accounts be "reasonable". Also, accounts holders under the age of 21 were exempted.
    Looking at teams Rams are competing with in signing Sammy Watkins

    Looking at teams Rams are competing with in signing Sammy Watkins

    According to Spotrac , the Packers now have $38.38 million of the cap committed to their receivers, far and away a league-high. Meredith, 25, is coming off a torn ACL and partially torn MCL in his left knee suffered last preseason.

    Skyworks Solutions Inc (SWKS) Holdings Increased by Amalgamated Bank

    In related news, insider Liam Griffin sold 15,059 shares of Skyworks Solutions stock in a transaction on Thursday, December 14th. Skyworks Solutions earned a daily sentiment score of 0.21 on Accern's scale. (NASDAQ:SWKS) shares were sold by ALDRICH DAVID J.
  • Paris Saint-Germain bounce back in Ligue 1 after Champions League

    Paris Saint-Germain bounce back in Ligue 1 after Champions League

    PSG lead the standings on 77 points after 29 games, 14 clear of nearest challengers and champions AS Monaco, who won 3-1 at Strasbourg on Friday.
    Are only two teams seriously chasing Kirk Cousins?

    Are only two teams seriously chasing Kirk Cousins?

    It's also certainly possible that if the Vikings' whiff on Cousins, they could circle back on one of those guys. The Jets are on record saying they will do whatever it takes to land Cousins, but this is steep.

    Wealthcare Advisory Partners LLC Buys New Holdings in JPMorgan Chase & Co. (JPM)

    It is positive, as 93 investors sold TSLA shares while 134 reduced holdings. 165 funds opened positions while 367 raised stakes. Lansdowne Partners Uk Llp sold 2.73M shares as the company's stock declined 6.04% while stock markets rallied.
  • The Coca-Cola Co (NYSE:KO) Stake Increased by Kanawha Capital Management LLC

    The Coca-Cola Co (NYSE:KO) Stake Increased by Kanawha Capital Management LLC

    North Carolina-based National Bank & Trust Of America De has invested 0% in Spark Energy, Inc. (NYSE:PLOW) for 116,808 shares. Nwq Inv Communications Ltd Liability owns 1.28M shares for 0.71% of their portfolio. 45,193 were accumulated by Nippon Life.
    The Coca-Cola (KO) Releases FY18 Earnings Guidance

    The Coca-Cola (KO) Releases FY18 Earnings Guidance

    In related news, insider Robert Edward Long sold 15,000 shares of the firm's stock in a transaction on Thursday, January 25th. Her Majesty The Queen In Right Of The Province Of Alberta As Represented By Alberta Invest Mgmt stated it has 984,500 shares.

    Analysts Showing Optimistic Trends For Barrick Gold Corporation (ABX)

    Pinnacle Foods Inc. (NYSE:PF) has risen 41.67% since March 12, 2017 and is uptrending. (NASDAQ:ACAD) or 10,000 shares. Palo Alto Investors Llc bought 27,700 shares as the company's stock declined 29.10% while stock markets rallied.