2018-03-19

Slingshot: Sophisticated Cyber Espionage Platform

Definition

Slingshot is an advanced, cyber-espionage threat actor that has been persistently infiltrating and collecting data since 2012 while avoiding detection until February 2018. Some research organisations have lately detected some hundred infected cases mainly from Africa and Middle-East. 

The attack routes for Slingshot remain mainly unidentified, but there is evidence that it may infect their target through 0-day vulnerabilities in routers. Once on-board, the Slingshot collects information from the target and sends it to the C2 server invisible to the user. The code seems to be unique referring to nation level manufacturer using English as mother language.

Attack vector

The one known attack vector for Slingshot is through a type of router. The attackers use a faulty feature of the router to take over and download their application. Then they start distributing ipv4.dll files to targets, have it loaded into their memory and execute. The DLL application connects back to the router, downloads other malicious components, and runs them. Slingshot avoids detection by using two mechanics: one is the use of encrypted virtual file system located in an unused part of the hard disk, and the other is to encrypt all text strings avoiding the virus detection with text string seeking. 

As the Slingshot is a collection of separate modules, each module is also downloaded in diverse ways. During the downloading and gaining the kernel rights, the Slingshot tampers the system logs leaving no tracks.


The Slingshot operates in the kernel, so it has access to all data stored in drives or internal memories. It has been reportedly logging content from screenshots, keyboard, network, passwords and USB connections. There is no hard-coded lines of C2 but listens to the address from each incoming IP packet to kernel.


Protection

The following general advice may apply to protection against likes of this kind of espionage:

  • The military should build a deepness for their cyber environment which makes it harder to reach the valuable targets.
  • Keep the versions of the ICT infrastructure as updated as possible.
  • Have several layers of detection, not only fingerprints but traffic patterns in and out of the system.
  • Have access to newest threat intelligence data through the cyber defence coalition network. 
  • Exercise your cyber defence crews having red teams attacking them also using persistent ways.



References


  • https://thehackernews.com/2018/03/slingshot-router-hacking.html
  • https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
  • https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/
  • https://www.businesswire.com/news/home/20180309005046/en/Kaspersky-Lab-Uncovers-Slingshot-Spy-Router



No comments:

Post a Comment