Slingshot malware uses cunning plan to find a route to sysadmins https://www.theregister.co.uk/2018/...es_cunning_plan_to_find_a_route_to_sysadmins/
The link to the Kaspersky article was already in the quote by itman, but I give it nevertheless: https://securelist.com/apt-slingshot/84312/
I wonder if HIPS could have interfered with this quite advanced attack. I suppose it wouldn't be enough to simply monitor the Winbox Loader for suspicious activities.
The malware hacked the router. It then proceeded to do: Assumed is that the Winbox Loader that is used for Mikrotik router configuration had been previously been allow access by the HIPS. What is out of the ordinary is the use of a router's admin utility that runs from a local PC.
Just how would it do that if the .dll is loaded directly into Winbox Loader process memory? I am not talking malware based .dll injection in this case. The Winbox Loader process was designed to do that.
The quoted article said the dll was replace with one the same size. Doesn't that implied it was at least dropped to disk?
For starters, this is a weird example. Appears the Mikrotik router has RAM disk that allow the vendor to update the .dlls as required. The router admin software which is running on a local device has access to that RAM disk. When the router admin software starts up, it will load those .dlls into its memory space just as if they were stored in the directory where the router admin software in located. It is also possible that the router admin software first copies the .dlls from the RAM disk to router's admin utility directory and then individually loads each into memory also. If this were this case, how would MZwritescanner know that the .dll in question was malicious? The malicious .dll is named the same as a previous legit one? Hash comparison would be N/A since it is assumed that these .dlls are updated with some frequency. Furthermore, it is assumed that the only access to the .dlls stored on the router's RAM disk is via the router's admin utility. So there is no way to validate their hashes prior to any copy activities from the RAM disk and subsequent loading into memory.
if MZ could access that ramdisk, the change in hash would cause it to alert to a new dll, but since I don't have a Mikrotik router.....
Doubtful the router would allow that. But let's say it could. How would it differentiate a valid update from a hacked .dll? Assumed the .dlls are not signed. Also assumed is new .dlls are added with new names as part of normal maintenance to the router's admin software.
It always seems to be Kaspersky, "the bad guys" that finds this stuff. Hardware manufacturers need to start signing their files so they can be checked against a hardware based signing key. There is no point just hashing them, what hash is the router going to compare update files with to validate them?
One other important point to note from the Kaspersky article: This incident does show the lengths an APT will go to in a targeted attack. Also these routers are not what you might think: https://mikrotik.com/product/CCR1036-12G-4S-EM
Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/
I've done a bit of more reading. If WinBox was blocked from having outbound access, the attack would have failed. Let's say that isn't an option, then you could still block GollumApp and Canhadr (downloaded via WinBox) from running with for example white-listing. If you allow them to execute it would be game over since HIPS can not monitor the kernel. This really should be changed in the Windows OS, but with a hyper-visor based HIPS you could also do it. Problem is, they don't exist.
Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks April 12, 2018 https://www.bleepingcomputer.com/ne...easingly-leveraging-routers-in-their-attacks/