Kaspersky Labs unearths yet another state-linked malware

Cyber security specialists Kaspersky Labs has claimed to have discovered what it described as a highly-sophisticated cyberespionage campaign called Slingshot, which could have been active for six years.

Clues in the text suggest the code was developed by English-speaking programmers, with the most likely source being a government intelligence agency. The team at Kaspersky believes activity started in at least 2012, and was active at the time of analysis in February six years later. The weak point of the perimeter has been traced back to Mikrotik routers and WinBox managing software, though it should be noted the cases thus far are the only ones which have been identified. Vulnerabilities could be in other bits of kit as well.

“The malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has existed for a considerable length of time,” the team said in a blog post.

“The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized and professional and probably state-sponsored.”

Perhaps one of the most interesting aspects of this malware is its ability to go undetected. Slingshot uses its own encrypted file system in an unused part of a hard drive, while it can also even shut down its components when it detects signs that might indicate forensic research. There are several little tricks the actors can use to avoid detection, which makes the malware particularly dangerous and tough to spot.

The attack itself starts with compromised routers made by MikroTik when downloading DLL files in the normal course of business. The actors figured out a way to add a malicious DLL to an otherwise legitimate package of other DLLs, which acted as a downloader for various malicious files which were stored in the router. MikroTik has been informed and fixed the issue, but Kaspersky believes this is not the only brand which was used during the campaign.


“Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation,” said Kaspersky. “Its infection vector is remarkable – and, to the best of our knowledge, unique. We believe that most of the victims we observed appeared to have been initially infected through a Windows exploit or compromised Mikrotik routers.”

Two areas which Kaspersky believes to be particularly advanced are a kernel mode module called Cahnadr and GollumApp, a user mode module. Cahnadr runs in kernel mode giving attackers limitless control over the infected computer. It can also execute code without causing a blue screen (crashing the system) on the infected machine, which is highly unusual for malware. The second module, GollumApp, is even more sophisticated, containing nearly 1,500 user-code functions. Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more.

The main purpose of this malware does seem to be counter-espionage, Kaspersky notes patterns consistent with other such examples, but because it operates in kernel there are no limitations to the information it can collect. Credit card numbers, password hashes and identification codes (such as social security numbers), are just a few examples, but it is essentially any dataset.

To date, Kaspersky has noted around 100 victims of Slingshot located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Interestingly enough, the vast majority of these instances are individuals not organizations or governments (though there are a few examples of the latter two).

Considering how advanced this malware is and it has been able to go undetected for six years, you have to wonder what else is hidden in the shadowy corners of the web. Hacking techniques and nefarious individuals have certainly advanced over this period, which is slightly concerning.

Kaspersky Map

Kaspersky Labs blames the Italians for Android spying app

The research team over at Kaspersky Labs has unveiled Skygofree to the world, an app which it has described as one of the most powerful spyware tools it has encountered to date.

The latest version of the app has 48 different commands, some of which Kaspersky Labs said it has never seen in the wild before. Although it has not named and shamed, Kaspersky Labs believes the app is a product developed by an Italian IT company which will market itself with various surveillance wares. Skygofree is capable of taking control of a devices camera, while also seizing data from calls, texts, WhatsApp, location, calendars, as well as information stored in the device memory.

“The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform,” the team has said on its blog. “As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.”

Perhaps the one which will grab the attention is the ability to gain access to user’s WhatsApp accounts. What should be worth noting is that the spyware is not able to crack the end-to-end encryption software developed by Open Whisper Systems, it does it through a far simpler means. In short, the spyware essentially waits for the WhatsApp messenger app to be opened and then uses the Android Accessibility Service to get information directly from the displayed elements on the screen. It waits for the targeted application to be launched and then parses all nodes to find text messages.

While this is certainly not ideal, it does indirectly pay tribute to the effectiveness of WhatsApp’s security features. The developers were not able to crack the encryption, so had to find a way around it. Of course, there is still the threat to user privacy, but it does indicate that WhatsApp is one of the most secure ways to communicate with friends and family.

Social media is seemingly a theme for the developers, as the payload file shown below is designed to steal data from the users Facebook account:

Facebook hack

Other features of the spyware include accessing information in text messages, calls and calendars, while also communicating on the location of the device. Another which will have people worried is the ability to control a devices camera. This command in the spyware records an image or video using the front facing camera of the device when it is next unlocked. Such ideas are usually relegated to the message boards of conspiracy websites, though Kaspersky Labs has shown here that it is very much a real threat.

What is worth noting is that there are not a huge number of known cases of devices being infected to date. These cases are limited to Italy for the moment, though that is not to say there are not more out there. One worry which is very real is the maintenance of the spyware. This is not a tool which was created and set out into the wild, it is being actively maintained and improved.

The earliest version of the app has been traced back to 2014 and the campaign has remained active ever since. The code and features have changed several times over this period, with the latest update coming on September 14, 2017. To infect devices, the developers have created several webpages which mimic Italian MNOs, prompting users to download a security update. The webpages do look legit as well.

“Unfortunately, for now we can’t say in what environment these landing pages were used in the wild, but according to all the information at our disposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks,” the team said. “For example, this could be when the victim’s device connects to a Wi-Fi access point that is infected or controlled by the attackers.”

What is certainly a concern for all involved is government trends to decreasing security for the user. There are several examples around the world where governments are insisting on the creation of backdoors in security software or the degradation of encryption techniques, to allow intelligence agencies greater freedoms when snooping.

Of course, should a company aid the government by decreasing the height of security, it will also be indirectly assisting the nefarious characters of the world; they will take advantage of every opportunity which is out there. Considering there are tools like Skygofree in the wild, perhaps governments should stop trying to help the hackers out.