Slingshot Malware Uses IoT Device in Targeted Attacks

A new APT malware attack has been discovered by Kaspersky Lab. The malware named Slingshot, due to a string in one of the hijacked system DLLs, is a sophisticated attack that leads to a nasty rootkit. The final rootkit named Cahnadr takes control of system processes, allowing for monitoring of keystrokes, clipboard, network traffic and more.

Background

Kaspersky Lab recently analyzed a sophisticated malware they named Slingshot. The paper published by Kaspersky Lab outlines details on how Slingshot operates and suggests the malware has been active since 2012. What makes Slingshot especially interesting is it used a compromised IoT device to infect targeted organizations.

So far, only one vendor’s router, MikroTik, has been reliably identified as being used in the compromise. MikroTik is based out of Riga, Latvia, and markets routers and wireless ISP systems to a global user base.

Malware details

It’s still not known how the attackers gained access to the MikroTik routers. There are some vulnerabilities they could have potentially been used. Here are some examples.

Once they had gained access to the router, the investigation found an interesting vulnerability that was exploited. CVE-2012-6050 reported a list of issues with the MikroTik routers. One issue has to do with a piece of management software that accompanies the MikroTik router called Winbox. When Winbox starts, it will pull a set of DLLs from the IoT device that it requires for management capabilities. The problem is it will also transfer any DLL that’s placed locally on the device and load it, including malicious DLLs. This flaw was used in the analyzed attacks to place a DLL named ipv4.dll on the router. The DLL was downloaded by legitimate users, granting the attackers access to their systems, and providing a beachhead for further attacks, such as lateral transfer.

Once the ipv4.dll is on the system, one of the first things this attack does is hijack a system process by overwriting a windows DLL with a custom DLL. There are a few examples of different DLLs they used here for this part of the attack. As an example, they used the scesrv.dll in one of their attacks. The details behind this are interesting due to how they replicate the file size and compress the original code to hide their presence, but this does still expose the infection because of code signing. Anything that comes out of Microsoft is expected to be signed by “© Microsoft Corporation. All rights reserved” with a valid cert and validate in the authenticode process on the system. This includes things such as the scesrv.dll that’s on the system in this attack. If you look at the Virus Total report, it shows this isn’t signed – something that should make what’s being reported as a six-year-old attack detectable.

Plugin 108411, Malicious Process Detection: Authenticode Microsoft Manufacturer

From here, the report talks about how the rootkit gains access by bypassing x64 Driver Signing Protection using some vulnerabilities in some existing drivers:

5F9785E7535F8F602CB294A54962C9E7 SpeedFan.sys - CVE-2007-5633

9a237fa07ce3ed06ea924a9bed4a6b99 Sandra.sys - CVE-2010-1592

978CD6D9666627842340EF774FD9E2AC ElbyCDIO.sys - CVE-2009-0824

This is a fairly eclectic list of vulnerabilities. It isn’t something you see at the top of most people's radars, yet it’s still a large threat for privilege escalation. With targeted style attacks like this, the things hidden in the weeds can be gold mines. Once the malware can exploit the drivers to gain system privilege, they implant their rootkit and user space module, then do some work to hide themselves.

Conclusion

An initial 100 infections have been identified in the following countries: Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates.

The moral of the story is attackers will target the entire attack surface, and IoT devices are becoming increasingly popular vectors for attackers. Understanding how these devices are exposed is more important than ever. In this particular attack, the MikroTik routers potentially left a harder target exposed and enabled the attacker to leverage multiple vulnerabilities to get a very nasty piece of malware installed.

Urgently required actions

Kaspersky states, “Users of MikroTik routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. Further, MikroTik Winbox no longer downloads anything from the router to the user’s computer."

Identifying affected systems

You can begin looking for this infection by monitoring several plugins already present in the network. For example, MikroTik RouterOS Winbox Detection (59731) and MikroTik Winbox < 5.17 File Download DoS (59732) both may be present on networks that use MikroTik routers.

MikroTik plugins
59731 : MikroTik RouterOS Winbox Detection
59732 : MikroTik Winbox < 5.17 File Download DoS
108521 : MikroTik RouterOS < 6.41.3 SMB Buffer Overflow