Kaspersky security analysts have identified a sophisticated group of APT hackers, which has been operating since at least 2012, without being noticed due to complicated and intelligent hacking techniques(slingshot spying malware).
The group of hackers used a piece of advanced slingshot spying malware, called test, to infect hundreds of thousands of victims in the Middle East and Africa by attacking their routers.
According to the 25-page report published [PDF] by Kaspersky Labs, a group has been using unknown vulnerabilities in the routers without computer obligation of the Latvian company network, Mikrotik, as the first stage of the infection, to hide its software spy on victim computers.
Although it is unclear how the group managed to attack the router first, Kaspersky leaked WikiLeaks again. Vault 7 of the CIA, which revealed the Chimay red feats, is now available on GitHub in order to discredit the Mikrotik router.
After attacking the attackers of the router replace a dynamic library DDL (to link libraries) malicious files from the file system, which is loaded directly into the memory of the victim’s computer, when the user starts the Winbox Loader software.
Winbox Loader is a legitimate management tool designed for Mikrotik for Windows users to easily configure their router and download some DLL files from routers and run them on the system.
In this way, the malicious DLL file runs on the target machine and connects to the remote server to retrieve the final payload, such as Slingshot spying malware.
The malicious software of the sling includes two modules: Cahnadr (kernel mode module) and GollumApp (user mode module), designed to gather information, store and retrieve data.
Cahnadr module, also known as ndriver, takes the function of anti-debugging and rootkitowania espionage inject other modules, network communication – substantially all of the user mode function modules required.
“[Cahnadr is] a program in kernel mode can execute malicious code without the emergency operation of the entire file system or cause the blue screen is a tremendous achievement”, – said Kaspersky has released today in a blog.
“Written in C pure Canhadr / ndriver language, it is possible to access the hard disk and the memory, despite the limitations of the security equipment and performs one of the various components of the verification of the integrity of the system to avoid detection errors and security. ”
GollumApp is the most sophisticated way that it has a wide range of espionage functions that allow attackers to capture screens, collect information related to passwords stored on the Internet’s web browsers, all keystrokes and maintain communication with the Command and control server remotely.
Because GollumApp works in kernel mode and can also run new processes with system privileges, the slingshot spying malware provides the attacker with full control over infected systems.
Although Kaspersky did not assign this group to the entire country but based on limited technological and intelligent objectives, the security company said that this is undoubtedly highly qualified and hacker group in the English language sponsored by the state.
“Slingshot spying malware is very complex and the creator behind clearly spent a lot of time and money for its creation, and its infectious vector is remarkable – and, to the extent known, only” – scientists say.
The victims are mostly people and some governmental organizations in several countries, such as Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.