A cyber espionage campaign bearing all of the hallmarks of an extremely advanced nation-state actor used malware to spy on international targets for six years before it was finally detected and exposed, Kaspersky Lab reported on Friday.
Dubbed Slingshot, the clandestine campaign heavily targeted the Middle East and Africa, and employed uncommonly sophisticated tactics for remaining invisible while exfiltrating troves of information, according to Kaspersky, whose researchers made the discovery last February. For instance, the adversaries were found to have compromised routers from Latvia-based Mikrotik to deliver a malicious downloader that executes additional malicious code, including two never-before-seen payloads.
One of these final payloads, GollumApp, contains nearly 1,500 user-code functions and is responsible for persistence, file system control and command-and-control communications. The other, Canhadr, or NDriver, provides kernel-level access to the hard drive and operating memory, while avoiding debugging and security detection measures. Even more impressively, it is able to execute malicious code while in kernel mode, without crashing the file system or triggering a Blue Screen — something Kaspersky calls a “remarkable achievement” in an FAQ web page describing the campaign.
Kernel access means that the actors have total control and unfettered access to screenshots, keyboard activity, network data, passwords, USB connections, desktop activity, clipboard savings, personal information including Social Security numbers, and more. “There are no restrictions, no limitations, and no protection for the user (or none that the malware can’t easily bypass),” the Kaspersky FAQ page warns, noting that the campaign was still active as of its analysis.
Kaspersky made its big discovery when an investigation into a suspected keylogger turned up a malicious DLL file that’s capable of interacting with a virtual file system and acting as a malicious downloader. This DLL, named Slingshot (which gave the overall campaign its eponymous name), replaces the victim´s legitimate Windows library “scesrv.dll” with a malicious version, allowing the attackers to interact with various modules and further compromise the machine with malware.
Kaspersky researchers believe the attackers have used several different attack vectors for introducing the Slingshot malware. But so far, most of the observed infections were executed by somehow smuggling the malicious DLL into an package of otherwise legitimate DLLs that are routinely processed by Mikrotik routers. Once the Mikrotik server’s administrator was infected, Slingshot could then begin loading the secondary-stage spyware.
The researchers suspect that the attackers are likely also exploiting Windows vulnerabilities as an alternative vector, although they do not know of a specific exploit in use. “During our research, we discovered a campaign component that was developed to download main components of this APT to the victim computer, but this component was not involved in the [Mikrotik router] scheme. That’s why we assumed that it may have been used in other initial attack vectors, explained Alexey Shulmin, lead malware analyst at Kaspersky Lab, in an interview with SC Media.
Kaspersky also thinks some victims could have been infected through other routers — a theory supported by the presence of another malicious downloader component called KPWS.
The actors behind Slingshot were able to hide their activity for years by employing a variety of evasive maneuvers, including string encryption in its modules, calling system services directly to bypass security product hooks, and anti-debugging techniques, Kaspersky reports. Also, whenever the malware detects signs of a system shutdown or another significant event, it can shut down its components while still ensuring they complete their tasks cleanly and properly, without any leftover forensic traces.
Kaspersky says it knows of roughly 100 Slingshot targets located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of these targets are individuals, but a few are government organizations and institutions.
While Kaspersky doesn’t explicitly attribute the campaign to a particular actor, it does note that clues in the code point to an English-speaking adversary. “Researchers have also observed some technique similarities between Slingshot and the threat actor known as Grey Lambert,” said Shulmin. “However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.”
The Lambert threat actor family, also known as Longhorn, has historically been linked by experts to the CIA.
Kaspersky also reports on its FAQ page that Slingshot’s complexity is similar to that of the malware programs ProjectSauron and Regin, which have commonly been linked to the NSA. While it does not go unnoticed that the newly discovered GollumApp payload is, like Sauron, a Lord of the Rings character reference, Shulmin claims that Kaspersky wasn’t actually saying ProjectSauron’s authors are behind Slingshot.