Attackers Infect Computers with Cyberespionage Malware via Hacked Routers

Security researchers have discovered a new malware framework that’s used for cyberespionage and is delivered to computers through hacked MikroTik routers.

Dubbed Slingshot, the malware has a modular architecture and is on par with state-sponsored attack platforms including Project Sauron and Regin as far as sophistication goes, according to researchers from Kaspersky Lab.

Once deployed on a system, Slingshot replaces a legitimate Windows library with a malicious version while keeping the library’s original functionality and size. This allows the malicious code to be loaded with system privileges by the operating system while evading detection.

The loader then injects a kernel-mode driver called Cahnadr and a user-mode payload dubbed GollumApp. The driver is used to provide persistence for GollumApp and to thwart debugging and anti-rootkit procedures. It also hides network traffic and monitors the system’s network devices.

GollumApp steals passwords from browsers and information about USB devices and network connections, hard disk patterns, desktop activity and clipboard data. It can also log key strokes and launch additional modules with system privileges by calling the Cahnadr driver.

The Kaspersky researchers believe that Slingshot has been active since at least 2012 and is still in use. Infections have been found on around 100 computers belonging to individuals and government organizations from Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. This means that it’s being deployed carefully selected targets.

Slingshot is probably installed on victim computers through multiple methods, but Kaspersky has discovered only one so far that abuses a legitimate management process for MikroTik routers.

Latvia-based router manufacturer Mikrotik provides customers with a Windows-based management tool called WinBox that downloads and executes a DLL file stored on the router’s file system.

“During our research, we found several victims whose Mikrotik routers were hacked, resulting in it returning a suspicious ip4.dll file with the internal name chmhlpr.dll,” the Kaspersky researchers said in their paper. “Indeed, this DLL is a TrojanDownloader related to Slingshot.”

The Kaspersky researchers don’t know how those routers were hacked, but the CIA Vault7 files leaked by WikiLeaks describe an exploit for Mikrotik routers. According to MikroTik’s support forums, that exploit only works on RouterOS version 6.38.4, but one of the compromised routers found delivering Slingshot was running version 6.38.5, so it’s possible a different exploit was used.

MikroTik has updated its WinBox software to no longer download and execute the ipv4.dll file from routers, so users should install the latest version in order to close the attack vector.

“The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high,” the Kaspersky Lab researchers said in a blog post. “Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized and professional and probably state-sponsored.”

Over 10,000 Memcached-Based DDoS Attacks Recorded

Chinese security company Qihoo 360 has detected over 10,000 distributed denial-of-service (DDoS) attacks launched through misconfigured Memcached servers over the past week.

The company’s global DDoSmon service observed 50 Memcached amplification attacks per day on average before Feb. 24, but their frequency quickly rose to 372 per day by the end of last month and 1,938 per day this month.

Over the past week, attacks targeted 7,131 unique IP addresses belonging to a large variety of companies and services including Google, Amazon, GitHub, Comcast, Cloudflare, Microsoft, Orange, Avast, Kaspersky Lab, the National Rifle Association, Epoch Times, PornHub and others. Over 3,000 targets were based in the United States.

The number of publicly exposed Memcached servers abused for DDoS reflection and amplification every day varied between under 10,000 and 20,000.

The good news is that researchers from DDoS mitigation provider Corero Networks have discovered a “kill switch” that can be used to stop Memcached servers from sending malicious traffic.

The countermeasure relies on the “flush_all” command that will instruct an abused server to invalidate its cache, including the large payloads put there by attackers. The kill switch was shared with national security agencies for action the company said this week.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin