How ‘Slingshot’ Router Malware Lurked for Six Years

Anti-Malware , Cybercrime , Cyberwarfare / Nation-state attacks

No Link to Known APT Group Cited, But Attackers Appear to Like Tolkien

How 'Slingshot' Router Malware Lurked for Six Years
Source: Kaspersky Lab

Kaspersky Lab says it has uncovered an elegant piece of malware that in part leveraged a Latvian-designed router as part of a stealthy attack campaign that has persisted for over six years.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The Moscow-based security firm hints that the engineering behind the malware, dubbed Slingshot, could only have been accomplished by a well-resourced attacker. But it stopped short of naming one.

Kaspersky gives Slingshot high praise, putting it on a level of Regin and Project Sauron.

The security firm says it’s identified at least 100 victims of Slingshot, mostly in the Middle East and Africa. Close to half of the victims were in Kenya, with the rest in places including Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates.

According to a 25-page technical paper published by Kaspersky Lab, Slingshot’s framework was designed for flexibility and reliability, which is why it has flown under the radar since 2012.

“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the company writes.

Latvian Routers

Kaspersky wasn’t able to determine the vector that resulted in the infection of most of Slingshot’s victims. But it did figure out one: routers from Latvian computer networking equipment manufacturer MikroTik.

For some time, MikroTik’s router firmware downloaded other components directly onto Windows computers. That was the expected behavior, although now MikroTik has since modified its software.

The tip-off came as Kaspersky was investigating a suspected keylogger. The company came across a malicious library that could interact with the virtual file system.

MikroTik included router management software called Winbox, which downloaded dynamic link libraries and loaded them directly into a computer’s memory. The attackers managed to swap a legitimate DLL for a malicious downloader that ended up on victims’ computers.

Kaspersky writes that the malicious downloader was exactly the same size as the legitimate one. Once the DLL has loaded other malicious modules – one a kernel-mode called Cahnadr and another called GollumApp in user mode – the original deleted DLL is replaced.

“The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”

GollumApp, named after a character in “The Hobbit,” collects network-based information, handles input/output requests for the encrypted file system, collects saved passwords in Firefox and Internet Explorer and logs keystrokes or pull information from the clipboard, among other functions.

MikroTik Exploit

Kaspersky says it hasn’t been able to identify how MikroTik’s routers were initially infected in order for the attackers to abuse Winbox’s behavior. But it does note that suspected CIA tools contained in WikiLeaks’ Vault7 dump do mention an attack related to MikroTik.

The exploit is called ChimayRed. After it became public, MikroTik issued a statement saying that it had released a new version of its router firmware, RouterOS 6.38.4, that should remove any malicious files in devices that had been compromised.

However, one of the victims studied by Kaspersky ran version “6.38.5 of the firmware, making it unclear whether this version is still vulnerable or if attackers used a different one,” the security firm writes.

“We contacted MikroTik and reported this attack procedure,” it adds. “According to MikroTik, latest versions of Winbox no longer download the ipv4.dll file from the router, closing the attack vector.”

In a March 2017 posting to its own forum, MikroTik says it was unable to obtain the exploit from WikiLeaks. But it did note that ChimayRed was only effective if the firewall on port 80 had been disabled. The firewall is active by default.

Nod to J.R.R. Tolkien

Kaspersky steered away from attempting to guess the identity of Slingshot’s authors – a wise move given enduring controversies over attributing attacks in the murky cyber-espionage world.

But Kaspersky does say that Slingshot doesn’t appear to have any links to other so-called advanced persistent threats.

The only definitive conclusion is that whoever designed the malicious code appears to have been a fan of J.R.R. Tolkien’s fantasy novels. They also had good grammar skills.

“Most of the debug messages found throughout the platform are written in perfect English,” Kaspersky Lab writes. “The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”

Behind the Beard Lurked a Darknet Drug Lord, DEA Alleges

Cybersecurity , Fraud

Agency Says It Traced Bitcoins From Vendor ‘Tip Jar’ to Frenchman Gal Vallerius

Behind the Beard Lurked a Darknet Drug Lord, DEA Alleges
Gal Vallerius. (Photo: Twitter)

A beard can disguise one’s identity, be it to bypass paparazzi or rob a bank. Of course, not all beards are bad. But behind the hirsute exterior of competitive beard-grower Gal Vallerius, there lurks a darknet drug lord, U.S. authorities allege.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The Drug Enforcement Agency has accused the 38-year-old Frenchman of sporting the decidedly nonGallic moniker “OxyMonster” and serving as an administrator and vendor on the darknet marketplace called Dream Market.

Vallerius was arrested on August 31 at Atlanta International Airport, while en route from his home in France to compete in the annual World Beard and Moustache Championships in Austin, Texas. He appeared earlier this month in federal court in Atlanta, where he did not contest his identity or detention.

On Sept. 15, Linda T. Walker, a federal magistrate judge in Atlanta, ordered Vallerius to be transferred to federal court in Miami, where he’ll face a conspiracy to distribute controlled substances charge that carries a maximum penalty of life imprisonment.

Vallerius’s attorney, John Lovell, could not be immediately reached for comment.

Vallerius allegedly distributed controlled substances from May 2015 until this past August, according to the DEA. It says the FBI, Internal Revenue Service, Homeland Security Investigations and the U.S. Postal Inspection Service also participated in the investigation.

At the time of his arrest, Vallerius was carrying a laptop, on which agents conducted a “border search” and found evidence confirming that he was “OxyMonster,” according to an Aug. 31 affidavit signed by DEA Special Agent Austin D. Love.

In addition, it says the laptop contained a copy of the Tor browser, “apparent login credentials for Dream Market,” plus $500,000 worth of bitcoins and a PGP encryption key named “OxyMonster” that matched the key used by the Dream Market vendor called OxyMonster.

“The Dream Market website is specifically designed to facilitate illegal commerce by working to ensure the anonymity of its administrators, as well as the buyers and sellers who participate in commerce on the website,” according to the DEA’s affidavit.

Darknet marketplaces function like illicit versions of eBay. “Sellers create accounts on Dream Market to advertise their products, such as narcotics or hacked computer passwords, and buyers create accounts to browse sellers’ products and purchase them,” according to Love’s affidavit.

Darknet sites, which carry a “.onion” address, are only reachable by using the Tor anonymizing browser. Like other darknet marketplaces, Dream Market uses cryptocurrency to attempt to disguise the identity of buyers and sellers. But while cryptocurrency is pseudo-anonymous, it does not automatically confer anonymity on buyers, especially when they attempt to convert cryptocurrency into cash.

Tumbling Services

Dream Market, however, allegedly also offers its own “tumbling” or “mixing” service, designed to blend and route multiple bitcoin transactions through a succession of accounts to try and make individual transactions more difficult to trace.

At the end of August, the DEA says there were more than 94,000 listings on Dream Market across the following categories:

  • Drugs (47,405 listings): Including subsections listing everything from opioids, ecstasy and cannabis to psychedelics, steroids and weight loss drugs;
  • Digital goods (41,394 listings): Including data, drugs, e-books, fraud, fraud-related goods, hacking, information, security and software;
  • Drug paraphernalia (456 listings);
  • Services (3,056 listings): Including subsections listing items under hacking, IDs and passports, money and cash out;
  • Other (2,383 listings): Including subsections for counterfeits, electronics, jewelry, lab supplies and defense.

Dream Market is the world’s second-largest darknet marketplace, after Russian-language darknet site RAMP, and followed in size by Silk Road 3.1, according to DeepDotWeb, a site that tracks the dark web.

While darknet marketplaces have long been popular, this summer’s international, coordinated law enforcement takedown of the world’s former two largest darknet marketplaces – AlphaBay and Hansa – has driven many users to rival sites, including Dream Market, according to authorities (see Police Seize World’s Two Largest Darknet Marketplaces).

Since early 2016, DEA agents have been making undercover narcotics buys off of Dream Market sellers – including sellers using the handles Digitalpossi2014, ReximumMaximus and MethForDummies – and receiving them via undercover mailboxes in Miami, according to the affidavit.

Like the Quebecois administrator of AlphaBay, Alexandre Cazes, who was found dead in his Thai jail cell after being arrested July 5, an administrator of Dream Market would have allegedly benefited from the commission charged by the site on the sale price of every item sold (see One Simple Error Led to AlphaBay Admin’s Downfall).

“Dream Market charges a commission from every transaction as a percentage of the sale price,” according to the DEA’s affidavit.

Follow the Bitcoins

“OxyMonster” was listed as being a “senior moderator” on Dream Market, and first registered a profile on the site in May 2015. In June, the DEA said his account was advertising “controlled substances OxyContin and Ritalin,” and “his profile stated that he ships from France to anywhere in Europe,” although a linked listing at TradeRoute – a way to purchase goods as well as leave cryptocurrency tips for vendors – said he also shipped to the United States.

“After observing the bitcoin ‘tip jar’ advertised by OxyMonster, agents conducted analysis of the incoming and outgoing transactions from that bitcoin address and learned that 15 out of 17 outgoing transactions from the OxyMonster tip jar went to multiple wallets controlled by French national Gal Vallerius on,” a site that allows people to buy and sell bitcoins.

The DEA says its agents also found Instagram and Twitter accounts for Vallerius, and compared the writing style used on those services to posts from “OxyMonster” on Dream Market. “Agents discovered many similarities in the use of words and punctuation … including: the word ‘cheers,’ double exclamation marks, frequent use of quotation marks and intermittent French posts,” according to the affidavit.

According to Vallerius’s Twitter account, he placed eighth in “world beard” at the World Beard and Moustache Championships in 2015, and was ranked fifth at the European Beard and Moustache Championships earlier this year.