Kaspersky Lab has discovered ‘Slingshot’ malware which attacks and infects victims through compromised routers and can run in kernel mode, giving it complete control over victim devices.
Kaspersky Lab researchers have uncovered a sophisticated threat used for cyber-espionage in the Middle East and Africa from at least 2012 until February 2018. The malware, which researchers have called ‘Slingshot’, attacks and infects victims through compromised routers and can run in kernel mode, giving it complete control over victim devices. According to researchers, many of the techniques used by this threat actor are unique and it is extremely effective at stealthy information gathering, hiding its traffic in marked data packets that it can intercept without trace from everyday communications.
The Slingshot operation was discovered after researchers found a suspicious keylogger program and created a behavioural detection signature to see if that code appeared anywhere else. This triggered a detection that turned out to be an infected computer with a suspicious file inside the system folder named scesrv.dll. The researchers decided to investigate this further. Analysis of the file showed that despite appearing legitimate, the scesrv.dll module had malicious code embedded into it. Since this library is loaded by ‘services.exe’, a process that has system privileges, the poisoned library gained the same rights. The researchers realised that a highly advanced intruder had found its way into the very core of the computer.
The most remarkable thing about Slingshot is probably its unusual attack vector. As researchers uncovered more victims, they found that many seemed to have been initially infected through hacked routers. During these attacks, the group behind Slingshot appears to compromise the routers and place a malicious dynamic link library inside it that is in fact a downloader for other malicious components. When an administrator logs in to configure the router, the router’s management software downloads and runs the malicious module on the administrator’s computer. The method used to hack the routers in the first place remains unknown.
Following infection, Slingshot loads a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, and GollumApp. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.
Slingshot’s main purpose seems to be cyberespionage. Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more, although its kernel access means it can steal whatever it wants.
The advanced, persistent threat also incorporates a number of techniques to help it evade detection: including encrypting all strings in its modules, calling system services directly in order to bypass security-product hooks, using a number of Anti-debugging techniques, and selecting which process to inject depending on the installed and running security solution processes, and more.
Slingshot works as a passive backdoor: it does not have a hardcoded command and control (C&C) address but obtains it from the operator by intercepting all network packages in kernel mode and checking to see if there are two hardcoded magic constants in the header. If this is the case, it means that that package contains the C&C address. After that, Slingshot establishes an encrypted communication channel to the C&C and starts to transmit data for exfiltration over it.
The malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has existed for a considerable length of time. The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organised and professional and probably state-sponsored. Text clues in the code suggest it is English-speaking. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.
So far, researchers have seen around 100 victims of Slingshot and its related modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of the victims appear to be targeted individuals rather than organisations, but there are some government organisations and institutions. Kenya and the Yemen account for most of the victims observed so far.
“Slingshot is a sophisticated threat, employing a wide range of tools and techniques, including kernel mode modules that have to date only been seen in the most advanced predators. The functionality is very precious and profitable for the attackers, which could explain why it has been around for at least six years,” said Alexey Shulmin, Lead Malware Analyst, Kaspersky Lab.
All Kaspersky Lab products successfully detect and block this threat.
To avoid falling victim to such an attack, Kaspersky Lab researchers recommend implementing the following measures:
- Users of Mikrotik routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. Further, Mikrotik Winbox no longer downloads anything from the router to the user’s computer.
- Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analysing network anomalies and give cybersecurity teams full visibility over the network and response automation;
- Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention, such as indicators of compromise (IOC), YARA and customised advanced threat reporting;
- If you spot early indicators of a targeted attack, consider managed protection services that will allow you to proactively detect advanced threats, reduce dwell time and arrange timely incident response.
SA consumers buy 3.2m smartphones in Q1
Smartphone sales in South Africa grew by 12.4% year-on-year in the first quarter of 2018, reaching around 3.2 million units for the period.
However, the value of the smartphone segment increased by 22.8% as sales of entry-level devices to low- and mid-income consumers continued to drive the market, according to point of sale data from market research firm, GfK South Africa.
GfK South Africa’s data reveals that telecommunications retail enjoyed a strong start to the year, with revenue growing 22.4% year-on-year. The growing popularity of phablets and higher unit prices (as a result of a weaker rand) helped to drive this increase in revenue, against a backdrop of low or negative growth in many segments of the consumer technology market.
“The mobile device market showed good growth in the quarter, despite rising prices during the period under review,” says Norman Muzhona, Solutions Specialist for Telecommunications at GfK South Africa. “In addition to the exchange rate, the introduction of popular, new mid-tier devices by several leading vendors helped to drive higher retail revenues in the telecoms market.”
Information technology retail revenues for the quarter contracted 4.8% compared to 2017, largely because of decreasing monitor prices and a 38.9% decline in tablet revenues. However, desktop computer revenues grew 39% and mobile computing revenues grew 6.5% year-on-year, thanks to higher prices and increased sales of higher-end products.
Says Berno Mare, Solutions Specialist for IT, Office Equipment and Value Added Services: “Retailers introduced new computing devices priced in the R3000 band during the quarter and enjoyed surprisingly strong demand for these entry-level units.
“Telcos enjoyed robust growth in mobile computing retail sales, thanks to credit deals, subsidised contracts and attractive data offers. However, South African consumers are heavily indebted, which may dampen growth for the rest of the year.”
With consumers rapidly migrating to smartphones, sales of traditional mobile phones continued to decline, down 1.6% year-on-year to around 2 million for the quarter. However, the exchange rate and the introduction of higher-priced brands helped to drive a 8.9% year-on-year revenue increase in mobile phone revenues during the period under review.
This follows the 21% drop in mobile phone unit sales in the first quarter of 2016 compared to the same period in 2015. “Operators continue to lead the transition from feature phones to smartphones as they pursue higher data revenues,” says Muzhona. “The entry-level market for smartphones is fiercely competitive, and the minimum specs of lower cost smartphones is improving all the time.”
GfK South Africa expects the migration from mobile phones to smartphones to accelerate in 2018. However, it remains to be seen if the introduction of 4G-enabled, Voice-over-LTE-ready feature phones will have any impact on the South African mobile phone market.
Sectors of the consumer electronic market that showed strong growth for the first quarter of 2018 include loudspeakers—revenues up 21.6% year-on-year, thanks to demand of Bluetooth-enabled product—and ultrahigh definition (UHD) panel TVs—where revenues grew 33%, thanks to the growing affordability of the technology. UHD unit shipments were up 76%, while the average selling price of the products fell 24%.
Other market highlights for the first quarter of 2018 include:
- Photo category revenues were up 8.1% year-on-year.
- Small domestic appliance revenues grew 8%, following a 10.3% decline in Q1 2016 over Q1 2015. Hot air fryers sold well, as did kettles and toasters.
- Major domestic appliances showed small year-on-year growth over Q1 2016, despite a decline in average selling price in many sub-categories of this market. Cooling products continued to make the highest contribution to growth in this segment.
- Office Equipment revenues declined 18% year-on-year, led downwards by lower printer and cartridge sales volumes.
What kids want online
Kaspersky Lab’s latest report on the online activities of children – based on statistics received from its solutions and modules with child protection features – highlights children’s online activities and the importance of protecting them when online. For example, video content globally, comprised 17% of searches over the last months. Although many videos watched as a result of these searches may be harmless, it is still possible for children to accidentally end up watching videos that contain inappropriate content.
The report shows anonymised statistics from Kaspersky Lab’s flagship consumer solutions for Windows PCs and Macs that have the Parental Control module switched on and from Kaspersky Safe Kids, a standalone service for Windows, Mac, iOS and Android devices.
In South Africa, communication sites (such as social media, messengers, or emails) were the most popular pages visited by computers with parental controls switched on – with users in South Africa visiting these sites in 69% of cases over the previous 12 months. Software, audio, and video accounted for 17% of searches. Websites with this content have become significantly more popular since last year, when it was only the fifth most popular category globally at 6%. The top four is rounded off with electronic commerce (4.2%) and alcohol, tobacco, and websites about narcotics (3.9%), which is a new addition compared to this time last year.
The report presents search results on the ten most-popular languages* for the last 6 months. The data shows that the video & audio category – including requests related to any video content, streaming services, video bloggers, series and movies – are the most regularly ‘googled’ by children (17% of the total requests). The second and third places go to translation (14%) and communication (10%) websites respectively. Interestingly, games websites sit in fourth place, generating only 9% of the total search requests.
We can also see a clear language difference for search requests: for example, video and music websites are typically searched for in English, which can be explained by the fact that the majority of movies, TV series and musical groups have English names. Spanish-speaking kids carry out more requests for translation sites, while communication services are mostly searched for in Russian.
More than any other nationality, Chinese-speaking children look for education services, while French-speaking kids are more interested in sport and games websites. In turn, German-speaking requests dominate in the “shopping” category. The leading number of search requests for porn are in Arabic, and for anime are in Japanese.
“Kids in different countries have different interests and online behaviors, but what links them all is their need to be protected online from potentially harmful content. Children looking for animated content could accidentally open a porn video. Or they could start searching for innocent videos and unintentionally end up on websites containing violent content, both of which could have a long-term impact on their impressionable and vulnerable minds,” says Anna Larkina, Web-content Analysis Expert at Kaspersky Lab.
As well as analysing searches, the report also looks into which websites children visit or attempt to visit that contain potentially harmful content which falls under one of the 14 preset categories** for the last 12 months.
The mobile trend is again highlighted in the figures for computer games, which are now in fifth place locally on the list at 3%. As kids continue to show a preference for mobile games rather than computer games, this category will only continue to decrease in popularity on computers over the coming months and years.
“No matter what they are doing online, it is important for parents not to leave their children’s digital activities unattended, because there’s a big difference between care and obtrusiveness. While it is important to trust your children and educate them about how to behave safely online, even your good advice cannot protect them from something unexpectedly showing up on the screen. That’s why advanced security solutions are key to ensuring children have positive online experiences, rather than harmful ones,” adds Anna Larkina.
The Kaspersky Total Security and Kaspersky Internet Security consumer solutions include a Parental Control module to help adults protect their children against online threats and block sites or apps containing inappropriate content. In turn, the Kaspersky Safe Kids solution allows parents to monitor what their children do, see or search for online across all devices, including mobile devices, and offers useful advice on how to help children behave safely online.