- #MIKROTIK WIRELESS ROUTER DRIVER#
- #MIKROTIK WIRELESS ROUTER CODE#
- #MIKROTIK WIRELESS ROUTER WINDOWS#
It then uses known vulnerabilities in these older driver versions to elevate Cahnadr's access so it can access kernel operations. To avoid the Microsoft's Driver Signature Enforcement requirement that prevents the installation of unsigned drivers, the Slingshot group installs older versions of legitimate drivers.
#MIKROTIK WIRELESS ROUTER WINDOWS#
On recent Windows versions, Cahnadr gains kernel-level access by using one very clever trick. Kaspersky experts say that Cahnadr shows the group's skills level, as the malware can infect even the latest Windows OS versions and works without crashing systems into a BSOD, as most kernel-level malware tends to do at one point or another. Cahnadr is more advanced, as it's meant to operate as a kernel-mode program.
#MIKROTIK WIRELESS ROUTER CODE#
GollumApp is the larger malware, with nearly 1,500 code functions for various operations. Slingshot APT deployed the GollumApp and Cahnadr strains
Both strains work together for information gathering, persistence, and data exfiltration. Researchers say that Slingshot usually infected users with two families of malware, namely GollumApp and Cahnadr (detected by other security vendors as NDriver). This app works by downloading some DLLs from the router itself, but the Slingshot group replaced these files with malicious ones that infected the user when he tried to configure or reconfigure his router via the Winbox Loader app. The way they did this was via Winbox Loader, an application developed by MikroTik to help Windows users configure their routers. The Slingshot group used these routers as staging points to deliver other payloads to their desired targets. While in some cases Slingshot relied on classic Windows exploits to infect targets, the attacks that stood out the most were the ones where crooks delivered their payloads by hacking into MikroTik routers. The malware was very sophisticated, expensive in time and money to develop, didn't trigger errors, and the method of delivery was innovative. What impressed Kaspersky the most was the level of complexity of the entire hacking operation. Slingshot relied on Windows exploits, hacked MikroTik routers Kaspersky experts said that because the group was active for more than half a decade, used extremely complex malware, and carried out very targeted operations Slingshot appears to be a state-sponsored group and not your regular cyber-criminal operation focused on personal profits. Kasperksy Lab has revealed today the existence of a new cyber-espionage group that has leveraged MikroTik routers to infect victims in an attack that researchers described as "unique."Įxperts codenamed this group Slingshot, and evidence suggests they started operations in 2012 and were still active in February 2018.
0 kommentar(er)
