Slingshot is a malicious software that has hit the Middle East




and Africa since 2012
Kaspersky Lab researchers have revealed a sophisticated threat of cyber espionage in the Middle East and Africa since 2012 at least until February.

The malicious software called the Slingshot attacks the slingshot, hits the victims through some poor network routers, and can operate in the kernel mode, giving it full control over the victim’s devices.

Many of the methods used by this software are unique, according to researchers who have confirmed its extreme effectiveness in the hidden collection of information and the ability to hide its movement within the observed data packets that can intercept it without finding any trace of its daily communication.

Slingshot was discovered after researchers found suspicious software to record the click of the keyboard and found a signature for behavioral detection to see if the code had appeared elsewhere.

This step prompted the discovery of a computer with a suspicious file inside the system folder called scesrv.dll. The researchers decided to investigate further. An analysis of the file scsrv.dll shows that it contains malicious code, although it appears to be an integral part of the operating system.

Since this file library is loaded with the executable file services.exe, an operating system with operating system privileges, the mined library acquired the same privileges as the file library, so the researchers realized that an intruder could sneak into the depth and find his way to the heart of the computer.

The unusual carrier of the Slingshot software may be the most interesting thing, and researchers found, with more victims, that many of them were initially infected by hacked routers.

It seems that the group behind the Slingshot attacks during these attacks, broke the routers and a network of malicious dynamic links, and is in fact only a tool to download other malicious components.

The router management software downloads and runs the malware on the computer of the network administrator when it accesses the router’s settings, while the method originally used to hack the routers is still unknown.After the infection, SlingShot loads a number of units onto the victim’s device, including two powerful units, Cahnadr and GollumApp, which are connected and cooperative in maintaining information collection and data leaks.

The main goal of the Slingshot software seems to be electronic espionage. The analysis indicates that it combines screen shots, keyboard data, network data, passwords, USB connections, other desktop activities, clipboard data, etc. The malicious software’s access to the core of the system means that it can steal everything You want.

Advanced and persistent threats also include a number of methods to help malware avoid detection, including encrypting all underlying strings, calling system services directly to bypass security products, using a number of anti-debugging methods, You want to access them depending on the processes of security solutions installed on the device and the operator, and more.

Slingshot works as a passive backend. It does not contain an implicit title to the command and control center, but it gets it from the operator by intercepting all network packets in the core mode and checking the status to see if there are two magic constants included in the introduction to the software piece. This is the case. This means that this packet contains a command and control center address. Then, Slingshot creates an encrypted communication channel that connects to the command and control center and starts transferring the data for leakage.

The researchers put the version 6.x mark on the malicious samples that have been investigated, indicating that the threat has been around for a long time, and the skills and cost associated with creating the complex Slingshot Toolkit are likely to be high and require time to develop. The group behind this code is highly organized and professional, and may be government sponsored. The textual evidence in the code indicates that the language of this group is English. Accurate reference is however difficult, if not impossible, and is increasingly susceptible to manipulation and error. .

So far, researchers have seen about 100 victims of the Slingshot software and associated units in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of the targeted victims appear to be unorganized, but some are government companies and institutions. So far, in Kenya and Yemen.

“Slingshot is a sophisticated threat that uses a wide range of tools and methods, including the core-style units that have only emerged so far in the more advanced attacks,” said Alexei Shulman, a leading malware analyst at Kaspersky Lab. “This is a valuable and profitable job for attackers , Which explains why it exists for at least six years. ”

All Kaspersky Lab products are successfully detecting and preventing this threat. To avoid becoming victims of such an attack, the company’s researchers recommend the following measures:

Mikrotik router users should upgrade to the latest version as soon as possible to ensure protection against known vulnerabilities. Moreover, Mikrotik Winbox no longer downloads anything from the router to the user’s computer.
Use a robust security solution with targeted attack and threat information technologies.
Provide security personnel with access to the latest threat data, arming them with useful tools for research and prevention of targeted attacks, such as penetration indicators, the YARA platform, and advanced threat reports.
If early indications of a targeted attack are identified, the user must consider managed protection services that allow him to proactively detect advanced threats, reduce waiting time and arrange incident response in a timely fashion.


In: A Technology & Gadgets Asked By: [22628 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »