No Link to Known APT Group Cited, But Attackers Appear to Like Tolkien
Kaspersky Lab says it has uncovered an elegant piece of malware that in part leveraged a Latvian-designed router as part of a stealthy attack campaign that has persisted for over six years.
The Moscow-based security firm hints that the engineering behind the malware, dubbed Slingshot, could only have been accomplished by a well-resourced attacker. But it stopped short of naming one.
The security firm says it’s identified at least 100 victims of Slingshot, mostly in the Middle East and Africa. Close to half of the victims were in Kenya, with the rest in places including Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates.
According to a 25-page technical paper published by Kaspersky Lab, Slingshot’s framework was designed for flexibility and reliability, which is why it has flown under the radar since 2012.
“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the company writes.
Kaspersky wasn’t able to determine the vector that resulted in the infection of most of Slingshot’s victims. But it did figure out one: routers from Latvian computer networking equipment manufacturer MikroTik.
For some time, MikroTik’s router firmware downloaded other components directly onto Windows computers. That was the expected behavior, although now MikroTik has since modified its software.
The tip-off came as Kaspersky was investigating a suspected keylogger. The company came across a malicious library that could interact with the virtual file system.
MikroTik included router management software called Winbox, which downloaded dynamic link libraries and loaded them directly into a computer’s memory. The attackers managed to swap a legitimate DLL for a malicious downloader that ended up on victims’ computers.
Kaspersky writes that the malicious downloader was exactly the same size as the legitimate one. Once the DLL has loaded other malicious modules – one a kernel-mode called Cahnadr and another called GollumApp in user mode – the original deleted DLL is replaced.
“The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”
GollumApp, named after a character in “The Hobbit,” collects network-based information, handles input/output requests for the encrypted file system, collects saved passwords in Firefox and Internet Explorer and logs keystrokes or pull information from the clipboard, among other functions.
Kaspersky says it hasn’t been able to identify how MikroTik’s routers were initially infected in order for the attackers to abuse Winbox’s behavior. But it does note that suspected CIA tools contained in WikiLeaks’ Vault7 dump do mention an attack related to MikroTik.
The exploit is called ChimayRed. After it became public, MikroTik issued a statement saying that it had released a new version of its router firmware, RouterOS 6.38.4, that should remove any malicious files in devices that had been compromised.
However, one of the victims studied by Kaspersky ran version “6.38.5 of the firmware, making it unclear whether this version is still vulnerable or if attackers used a different one,” the security firm writes.
“We contacted MikroTik and reported this attack procedure,” it adds. “According to MikroTik, latest versions of Winbox no longer download the ipv4.dll file from the router, closing the attack vector.”
In a March 2017 posting to its own forum, MikroTik says it was unable to obtain the exploit from WikiLeaks. But it did note that ChimayRed was only effective if the firewall on port 80 had been disabled. The firewall is active by default.
Nod to J.R.R. Tolkien
Kaspersky steered away from attempting to guess the identity of Slingshot’s authors – a wise move given enduring controversies over attributing attacks in the murky cyber-espionage world.
But Kaspersky does say that Slingshot doesn’t appear to have any links to other so-called advanced persistent threats.
The only definitive conclusion is that whoever designed the malicious code appears to have been a fan of J.R.R. Tolkien’s fantasy novels. They also had good grammar skills.
“Most of the debug messages found throughout the platform are written in perfect English,” Kaspersky Lab writes. “The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”