![]() “The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high,” the Kaspersky Lab researchers said in. MikroTik has updated its WinBox software to no longer download and execute the ipv4.dll file from routers, so users should install the latest version in order to close the attack vector. “Indeed, this DLL is a TrojanDownloader related to Slingshot.” The Kaspersky researchers don’t know how those routers were hacked, but the CIA Vault7 files leaked by WikiLeaks describe an exploit for Mikrotik routers.Īccording to MikroTik’s support forums, that exploit only works on RouterOS version 6.38.4, but one of the compromised routers found delivering Slingshot was running version 6.38.5, so it’s possible a different exploit was used. “During our research, we found several victims whose Mikrotik routers were hacked, resulting in it returning a suspicious ip4.dll file with the internal name chmhlpr.dll,” the Kaspersky researchers said in. Latvia-based router manufacturer Mikrotik provides customers with a Windows-based management tool called WinBox that downloads and executes a DLL file stored on the router’s file system. Slingshot is probably installed on victim computers through multiple methods, but Kaspersky has discovered only one so far that abuses a legitimate management process for MikroTik routers. This means that it’s being deployed carefully selected targets. Infections have been found on around 100 computers belonging to individuals and government organizations from Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. The Kaspersky researchers believe that Slingshot has been active since at least 2012 and is still in use. It can also log key strokes and launch additional modules with system privileges by calling the Cahnadr driver. GollumApp steals passwords from browsers and information about USB devices and network connections, hard disk patterns, desktop activity and clipboard data. It also hides network traffic and monitors the system’s network devices. The driver is used to provide persistence for GollumApp and to thwart debugging and anti-rootkit procedures. The loader then injects a kernel-mode driver called Cahnadr and a user-mode payload dubbed GollumApp. This allows the malicious code to be loaded with system privileges by the operating system while evading detection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |