the slingshot apt - amazon simple storage service€¦ · downloaded by winbox loader, a management...

The Slingshot APT Version:1.0(06.March.2018)

ExecutiveSummary Whileanalysinganincidentthatinvolvedasuspectedkeylogger,weidentifiedamaliciouslibraryabletointeractwithavirtualfilesystem,whichisusuallythesignofanadvancedAPTactor.Thisturnedouttobeamaliciousloaderinternallynamed‘Slingshot’,partofanew,andhighlysophisticatedattackplatformthatrivalsProjectSauronandReginincomplexity.

Theinitialloaderreplacesthevictim´slegitimateWindowslibrary‘scesrv.dll’withamaliciousoneofexactlythesamesize.Notonlythat,itinteractswithseveralothermodulesincludingaring-0loader,kernel-modenetworksniffer,ownbase-independentpacker,andvirtualfilesystem,amongothers.

WhileformostvictimstheinfectionvectorforSlingshotremainsunknown,wewereabletofindseveralcaseswheretheattackersgotaccesstoMikrotikroutersandplacedacomponentdownloadedbyWinboxLoader,amanagementsuiteforMikrotikrouters.Inturn,thisinfectedtheadministratoroftherouter.

Webelievethisclusterofactivitystartedinatleast2012andwasstillactiveatthetimeofthisanalysis(February2018).Weobservedalmostonehundredvictimsinthefollowingcountries:Kenya,Yemen,Libya,Afghanistan,Iraq,Tanzania,Jordan,Mauritius,Somalia,DemocraticRepublicoftheCongo,Turkey,SudanandUnitedArabEmirates.

Thispaperinanutshell: • Slingshotisanew,previouslyunknowncyber-espionageplatformwhichrivalsProjectSauron

andReginincomplexity • Slingshothasbeenactivesinceatleast2012untilFebruary2018 • WeobservedalmostonehundredSlingshotvictims,mainlyintheMiddleEastandAfrica • TheattackersexploitedanunknownvulnerabilityinMikrotikroutersasaninfectionvector

TechnicalDetails Duringtheanalysisofanomaliesfromasystemsuspectedofbeinginfectedwithakeylogger,wefoundaninterestingartifact.ThissystemhadaDLLcalled‘scesrv.dll’(thissamenameisusedbyasystemDLL)containingstringsthatseemedrelatedtoVirtualFileSystemhandling.

Thiswasindeedapatchedsystemlibrary,loadedbyservices.exewithSYSTEMprivileges.WecalleditSlingshot,basedoninternalstrings.

Slingshotisaloaderthatusesdifferentcomponentsassummarizedintheschemabelow.Thefollowingsectionsprovideatechnicalanalysisforallofthem.

Slingshot Slingshotisaloaderusedasafirststager.ItreplacesanexistingsystemDLLwithamaliciousoneofexactlythesamesize.Wenoticedthattheattackersreplacescesrv.dllmoreoftenthanotherDLLs,butinsomecasesattackersalsoreplacedspoolsv.exe.

ThesystemDLLpatchingisoneofthemosttechnicallyinterestingfeaturesofthisloader,anditworksasfollows:

• Insertsallnecessarymodulesintothevictim’ssystemDLLfile,compressingpartoftheoriginalfileinthemalware´sdatasectiontoretainthesamesize.

• Changestheentrypoint,pointingtooneoftheaddedloaders.LoadersarewrittenintheinfectedDLLasbase-independentcode.

• CalculatesthenewchecksumoftheDLL. • Whenstarted,afterexecutingallmaliciousactions,themalwarerestorestheoriginalcodeof

thesystemDLLinmemory.

Eachaddedmaliciousmodulehasthefollowingstructure:

{uintmodule_id,uintmodule_size,chardata[module_size]}.

Actually,themalwareitselfondiskisanarrayofmodules.

Fig. 1 GreenistheID,yellowsizeinbytes,redtheencrypted‘Slingshot’word.

Forinstance,thedescribedloader(6637DBCC6059A1E2E45956D98A3EA590)hasthevaluemodule_id=0xFF000001andcontainstheencryptedword‘Slingshot’.Initsentrypointitdirectlyjumpstothemaliciouscodewith‘jmp758E618C’.

Themaliciousmoduleislocatedrightaftertheheader.Actually,thiswouldbetheunpackerfortheembeddedMZPEmodule.TheoriginalentrypointaddressandthechecksumoftheDLLarestoredinthemodulewithmodule_id=0xFF000003.Theoriginalcodeisstoredinthemodulewithmodule_id=0xEF000007.

Thismoduleusesthefollowingparameters:

Ss-a24964-s163007-o8-l313856-r24964-z228584

where:

• L–Sizeoftheinfectedlibrary • R–RVAofpatcheddatainlibrary(wherethemalwarecodestarts) • A–RVAofmodulesarray,24964=0x6184=>ImageBaselibrary.758E0000 • S–sizeofmodulesarray,163007=0x27CBF=>intheinfectedlibrarymodulesareembedded

from.758E6184to.7590DE43address • O–offsetfromthebeginningofthecompressedMZPEfiletillthemoduleslist.Usesforfinding

themodulesarray(address.758E6184inapictureabove) • Z–Maximumdatasizethatwillberestoredintheoriginallibrary

Toensurecorrectexecutionandavoidsystemcrashes,SlingshotrestorestheoriginallibrarydatastoredinImageBase+RtoImageBase+R+Zinmemory.

Incasethemaliciousmodulescan´tbeembeddedintothetargetsystemlibrary,Slingshotusesanadditionalfileondisk.Thepathforthisfileisstoredinthemodulewithmodule_id0xFF000006.Itcouldbeahardcodedpathintherecyclerbin(firstdwordis0x12000006O);or,ifthefirstdwordis0x12000007,malwaretriestoreadthisfiledirectlyfromthePhysicalDriveobjectbycalling:

CreateFile(\\\\.\\PhysicalDrive+drive_number),SetFilePointer,ReadFile.

Module_id0xFF000007storestheencryptionkeyinmodule_id0xCF000009:thismoduleiscalledCahnadrandthisisthemainkernelmodeloaderimplementingalmostallthepayloads.

Afterloadingadditionalmodules,SlingshotpassestheexecutiontoCahnadr.

Ring0loader Thisloaderiscompressedinmodule_id0xBF000001.Actually,theremightbemorethanone,soincasethefirstloaderfails,theremaybeasecondloaderinthebinarywithmodule_id0xBF000002.Atthisstage,Slingshotusesitsinternalloggingsystemactively:

Slingshotchecksifthereisanykernel-modepayloadandanyloaderavailable,andthentheloadersarerunoneaftertheother.

Uponstarting,thisloadergetsSeLoadDriverPrivilegeforinstallingmaliciousdriversintothesystemthatitwilllaterabuseforobtainingkernelprivileges.

Inordertoavoidleavinganytracesofthisactivityinsystemlogs,itrenamestheETW-logs,andfortheSecurityandSystemlogsaddsthe.tmpextension.Afterexecution,theloaderremovestheextensions.

ThefinalgoalofthismoduleistoloadtheCahnadrmodule(kernelmodemainpayload,describedbelow)intokernelmode.Aspreviouslystated,Slingshothasdifferentwaystoloadcodeintokernelmode,eachusingitsownloader.

Thesimplestloaderisusedfor32-bitsystemswhereDriverSignatureEnforcement(DSE),whichrequiressigneddrivers,doesnotapply.Thisloadersimplysavesthedriverondiskandloadsit.

Whenthedriverisloaded,theloadersharesthemaliciouspayloadwithitbycallingDeviceIoControlwithcontrolcode0x222000.

Thisdriverreceivescommandsfromtheuser-modeloaderviaDeviceIoControl.TheonlyavailablecommandinthiscaseallowsrunningthiscodeasaWorkItemintotheSystemWorkerThreadspool,whichisapoolusedbylegitimatesoftwareforrunningquicktasks.

IncaseswheretheoperatingsystemsupportsDSE,theloaderexploitsacoupleoflegitimatebutvulnerabledriversthatallowwritinginMSRregisters.SuccessfulexploitationofthedriverswouldallowtosetintheMSR_LSTARregisterahandlerthat,afterrunningSleep,callsCahnadr:

Inordertopreventpatchprotection,thehandlerrestorestheoriginalMSRregister.

Thisloaderleveragesthefollowingdrivers:

312E31851E0FC2072DBF9A128557D6EF Goad.sys–driverforx86systems 5F9785E7535F8F602CB294A54962C9E7 SpeedFan.sys-CVE-2007-5633 9a237fa07ce3ed06ea924a9bed4a6b99 Sandra.sys-CVE-2010-1592 978CD6D9666627842340EF774FD9E2AC ElbyCDIO.sys-CVE-2009-0824 Itisimportanttomentionthatthedigitalsignaturesinthesedriversarestillnotrevoked.

Allthedriversaboveareloadedintothekerneldirectlybycreatingtherequiredkeysintheregistryandcallingthentdll!NtLoadDriverfunction.TheservicekeynameintheregistrystartswiththePCX*prefix.

Cahnadr–mainkernel-modepayload

Thispayloadcanbeconsideredthemainorchestrator,runninginkernelmodeandprovidingthenecessarycapabilitiesforalltheother,user-modepayloads.Thiscomponentisresponsiblefordifferentfeatures,including:

1. Anti-debuggingactionsandcheckingifthekernelispatchedornot2. Callingsystemservicesdirectlytohidemaliciousactivities3. HooksKTHREAD.ServiceTableforthreads4. Rootkitactionsforhidingtraffic5. Injectinguser-modepayload(mainmaliciouspayload)intoservices.exe6. ProvidingmaliciousAPIforuser-modemodules7. Providingcommunicationsvianetwork8. NotifyingGollumApppayloadaboutprocess-relatedevents,providinginterfacesfor

manipulatingtheirmemory9. Monitoringallnetworkdevices10. Providingsnifferfunctionalityonthefollowingprotocols:ARP,TCP,UDP,DNS,ICMP,HTTP

Anti-debugtechniquesinclude:

• Ifkernelisalreadybeingdebugged,itcallsKdDisableDebugger()terminatingthedebuggingprocess

• IthooksLiveKddebuggerdriver'sroutinesIRP_MJ_CREATE,IRP_MJ_READ,FastIoDeviceControl

• InstallsnotifierstomonitorPsSetLoadImageNotifyRoutine.IftheLoadImageNotifyeventhappenswhenLiveKdD.sysisloaded,themodulepatchestheentrypointthatleadstoerrorSTATUS_FAILED_DRIVER_ENTRY

Inordertodetectifthekernelispatched,itchecksthekernelimageinmemorywiththefollowingkernelfilesondisk:

• \\SystemRoot\\system32\\kernel_name • \\SystemRoot\\LastGood\\system32\\kernel_name • \\SystemRoot\\$*\\system32\\kernel_name

Fornewerx32versionsitalsocheckswin32k.sysatthesamepaths.

ItisimportanttonotethatCahnadrchecksonlyCheckSumandTimeStampvaluesforthekernelimageinmemory.Ifoneofthemisdifferent,itmeansthatthekernelwaspatched,anditterminatesitsexecution.

Actually,itneedsanunpatchedkernelandwin32k.systogettheoriginfunctionfromKeServiceDescriptorTableandKeServiceDescriptorTableShadow,whichwillbeusedtodirectlyinteractwithsystemservicesandhookingtheKTHREAD.ServiceTableonx32systems.

Inordertohidecalls,itcanassociatesystemservicestosomeZw*,Rtl*,Nt*functions.InsteadoftakingtheaddressesforthesefunctionsfromSSDT,Cahnadrextractsthemfromthekernelimageondiskforunpatchedkernels.

Italsoimplementscodetofindafunctionaddressbyitsnamebycomparingexportedroutinesfromntdllandntoskrnladdresses:iftheaddressoftheexportedfunctionsisthesameasthesystemserviceaddress,itmeanstheaddresswascorrectlyfound.

Ntdll.dllexportedfunctionsaddressesarealsotakenfromtheimagestoredondisktoavoidhookssetbyotherprograms.

Forroutinesnotdirectlyoperatingwithsystemservices,Cahnadrhasahardcodedlist:

Notallfunctionsaremandatorytobefound,thereisaflagforeachofthem.Alllistedroutinesareusedforinjectingmaliciouscodeintouser-modeprocesses.

Fornewerx32versionsthislistwashighlyextended,addingdebug-relatedfunctionsandfunctionsforsuspendingandresumingthreadsandprocesses.

Forx32systems,CahnadrhooksKTHREAD.ServiceTable.ItcopiestheKeServiceDescriptorTableandKeServiceDescriptorTableShadow,thenfillsitwiththeoriginalhandlersrestoredfromdiskandchangestheaddressinKTHREAD.ServiceTabletopointertoanewstructure.Thisisusedtoinjectthreadsintousermode:onceacomponentisinjectedasaseparatethread,CahnadrpatchesitsKTHREAD.ServiceTablewiththeoriginalhandlersinordertohideitsmaliciousfunctionalityandavoidpossibleinstalledhooks.

CahnadralsoprovidesthefollowingAPIfunctionality:

• Directdiskaccess:read/writebyraw-offset,defragmentationban,etc.Theseroutinesareusedforworkingwiththevirtualfilesystem

• Read/writeintomemorybyrawaddress • Routinesforinjectingcodeintoaprocessasaseparatethread.Itispossibletosetthethread

stateandchoosethepreferredroutineforcreatingthethread(NtCreateThreadExorNtCreateThread).ForGollumAppitisobligatorytouseNtCreateThread

• Gettheaccesstokenbyprocess_id • GettheSERVICE_DESCRIPTOR_TABLEaddress • GettheDRIVER_OBJECTobjectpointerbydrivername • Getdetailedinformationaboutprocessesopenedincsrss.exe(starttime,timeinkernelmode,

timeinusermode,numberofcallsZwReadandZwWrite,amongofdatareceived/sentviaZwRead/ZwWrite)

• Gethandleforprocess_1inprocess_2.Inotherwords,opensprocess_1fromprocess_2.Thiswayprocess_2getsthehandleofprocess_1

• Closehandlethatbelongstoanyprocess • Providesnetworkfunctionality:addanewnetwork-relatedtask,deleteanoldone,turnon/offa

networktask,sendinformationaboutallactivenetworktaskstoGollumApp • HookstheServiceTableinKTHREADinthespecifiedthreadorprocess(onlyonx32),providing:

setting/deletingahookbyThreadID,setting/deletinghookforallthreadsbyPID,checkingifthread/processwashooked

• Setstimetosleepbeforeshutdown

CahnadrcallsPsSetCreateProcessNotifyRoutine,PsSetCreateThreadNotifyRoutineroutinesinordertoautomateinstallinghooks.Createdprocesseswillbehookediftheirparentprocesswashooked,aswillthreadsiftheirprocesswashooked.

ShutdownnotificationsaredetectedbycallingtheIoRegisterShutdownNotificationroutine.Whenanotificationisreceived,itissenttoGollumAppwiththetimethatGollumAppcanspendforcompletion.WhileGollumAppworks,Cahnadrsleeps.

ItinstallsbugchecknotificationsbycallingtheKeRegisterBugCheckReasonCallbackroutine.WhenanotificationisreceiveditcallsKeBugCheckwiththeundocumentedPOWER_FAILURE_SIMULATEparameter,whichisawaytorebootfromkernelmodewithoutBSODandcrushdump.Thisway,incaseafatalerroroccurs,Cahnadrrebootsthesystemwithoutcreatingamemorydumpondisk.

Thecommunicationbetweenkernelandusermodemodulesisimplementedindifferentwaysforx32andx64components.

Inx64componentsCahnadrsetsIRP-requestshandlersforthe‘null.sys’driver.Eachhandlercontainsa‘jmp’operationtothemaliciouscodelocatedinthe‘null.sys’imageinmemory.ThisishowhooksaretypicallysetinthisAPT,makingthemhardertodetect.Also,theauthorsdecidedtouseIRP-requestsshowninthepicturebelow:

Whilenull.sysuses:

HowevermaliciousandlegitimateIRP-handlershaveaconflictingcomponent,asbothnull.sysandCahnadrcanprocessrequeststoIRP-MJ-CLOSE.That’swhyonlyonehookandthreeordinaryhandlersareset.Afterthat,usermodemodulescansenddatatoCahnadrbycallingCreateFile(\\\\.\\NUL,…)+DeviceIoControl.

Inx32componentsanotherapproachwasused.CahnadrregistersaRegistryCallbackroutinebycallingCmRegisterCallbacktomonitoralloperationsintheregistry.WhenanyusermodemodulesendssomethingtoCahnadritsetstheArbitraryUserPointerfieldoftheTIBpointertotherelateddata,startingwith0x2BADDOOD,andthencallsRegEnumKeyWwhichtriggersthekernelmodecallback.

KernelmoderegistrycallbackchecksthattheregistryoperationisRegNtEnumerateKeyandthenlooksfor0x2BADDOOD:

Iffound,Cahnadrhandlesthecommandandreturnstheresulttothebufferusedintherequest.

Kernel-modenetworkingmodule Cahnadrhooksthefollowingroutinesinordertohideitstraffic,performdifferenttasksandprovideadditionalfunctionalityfortheusermodecomponents:

• ndis!NdisMSendNetBufferListsComplete • ndis!NdisMIndicateReceiveNetBufferLists

Theseroutinesarecallbacksrunbynetworkdriverstonotifyhandlerswithalldatasentorreceived.ThefunctionlistsinPNET_BUFFER_LISTallpacketsandtheirrelatedevent.CahnadrchecksifthereareSlingshot-relatedpacketsinthislist,andifso,removesthem.Let´sexplainthisinmoredetail:

Thetrickisthatallthemalwareisallocatedtoaparticularpoolthatallowsdiscriminatingitfromotherbenigncalls.NdisAllocateNetBufferListPoolcreatesNET_BUFFER_LIST,thatisinitializedcallingNdisAllocateNetBufferAndNetBufferList.Whenthenetworkdriversendsdata,itgetsintosuchaNET_BUFFERstructure,whichinturn,getsintoNET_BUFFER_LIST.ThecallbacksroutineNdisMSendNetBufferListsComplete,thatgetstheNET_BUFFER_LISTswithdatasuccessfullysent,ishooked.MalwaresimplychecksifanyentryinNET_BUFFER_LISTwasallocatedfromthemalwarepooland,ifso,willsimplynotreturnittotheoriginalhandler.

Thissnifferhasalistoftasks,eachoneassociatedwithalistofhandlers.Inboundandoutboundpacketsareexaminedandpassedtotheappropriatetask’sprocessor,whichcallsallhandlersassociatedwiththetask.Theresultdetermineswhethermalwareshouldhidethepackage.

Wehaveseenthreetypesoftask:

HTTP:ThisistheonlyhandlerthatnotifiesGollumApp(usermodepayload,describedbelow)thatHTTPdataisbeingtransferred. ARPf:(twohandlersforthistype).ThefirstonenotifiesGollumAppwhenanARP-requestisreceivedand/orwhenanARP-responseissent. Thesecondonestoresthisinformationinitsinternalstorage,collectinginformationaboutthenetworkstructure.Thistaskisenabledbydefault. IP2f:(twohandlersofthistype).Thefirstonechecksifthepackagecomesfromthemalwareoperators,onlytodecidewhetherthepackageshouldbehidden.ThisisdecidedbyXORingtwoTimestampsvaluesfromtheOptionsfieldintheTCP-header(RFC1323,code0x080A).Iftheresultisequalto0xDEADFOODthenthispackageshouldbehidden.

ThesecondonenotifiesGollumAppthatsomeTCP/UDPorICMPpacketsthatsuitmaliciousfilterswerefound.

Forinstance,forTPCtrafficthisfilterusesthesamedescribedXORprocedurewiththeconstant0xDADAE000,sendingGollumApptheseqNumber,askNumberandsrcportvalues.

ForUDP,packetswithalengthof0x55bytescontainingDNSresponses,itchecksthatthefielddns.Identifierequals0x212.Inthatcase,thepacketishiddenandGollumAppisnotifiedwiththeresolvedIPandTTLofthepacket.

ForICMP,packetscontainingthe«Destinationportunreachable»erroritchecksthattheoverlyingprotocolcontainstheconstant0xE17F(57727).Inthatcase,GollumAppisnotifiedwithip.Destination,ip.identification,ip.length.

Thistaskisenabledbydefault.

ThemalwareidentifiesHTTPtrafficbycheckingtheASKflaginTCPprotocol,andbyfindingtheHTTPsignatureintheTCPpackagebody.Thistaskisdisabledbydefault,howeverGollumAppcanenableit.

Additionally,thiskernelmodemoduleprovidesthefollowingfunctionalityforusermodecomponents:

• ARP-query:obtainstheMAC-addressforaspecifiedIPaddress.Requiresnetworkinterfaceasaparameter

• ARP-reply:sendsitsownMACaddressasaresponsetoaspecifiedARP-request,regardlessofwhethertheIPfromtherequestandtheinfectedcomputerarethesameornot

• Sendscustomnetworkpackage,whereallfieldscanbecustomizedfromtheEthernet-layer • SendscustomIPV4package

CahnadrsupportsIEEE802.11standard,allowingittooperatewithWiFiframes.

NetworkinterfacesaretracedusingPlug-and-PlaynotificationswithEventCategory-PNPNOTIFY_DEVICE_INTERFACE_INCLUDE_EXISTING_INTERFACES.Whenanetworkinterfacechangeeventhappens,allhookslistedaboveapplyandCahnadrchecksthecategoryofthenewinterface(bridge/wan/lan).Dependingonthetypeofinterface,itgetsdifferentdatathatiswrittenintheemalware´sstorage:

• Ethernet:MAC-addressandmaximumframesize • Wireless(802.11)AccessPointMAC-addressandauthenticationstate

Usermodepayloads GollumApp Thispayload(namedafterthefamouscharacterfromTheHobbit)isthemainusermodepayload,orchestratingactivitiesofothermodulesandhavingaconstantinteractionwiththekernelmodeCahnadrorchestrator.

Initiallyitisinjectedintoservices.exeasaseparateusermodethread:firstitallocatesthememory,thenwritesthemoduleandcreatesthethread.Afterthat,itcallsCsrCreateRemoteThreadinthecontextofthecsrss.exeforcreatingthenewthreadinservices.exe,whichistypicalforcreatingnewusermodethreadsfromring0.Thisisdoneinthiswaybecausemalwareworksdirectlywithsystemservices.

Thefollowingsummarizesitsfunctionality:

● Collectsnetwork-relatedinformation:routingtables,configuration,informationaboutproxy-serversandAutoConfigUrlsettings ● Collectnotificationsaboutallchangesintheroutingtableand/orchanginginterfaceIP-address. ● HandlesIOrequestsfortheencryptedfilesystem ● ContainsvariouscommandprocessorforcommunicationwithCNC ● CollectsallpasswordssavedinMozillaandIE ● Canworkwiththeclipboard ● Canlogallpressedkeys ● Collectsinformationaboutharddiskpartitions ● CollectsinformationaboutUSBdevicesandsendsnotificationswhennewdeviceisconnected. ● CanrunnewprocesswithSYSTEMprivilegesasachildofsmss.exe ● InjectsmaliciousmoduleSsCbintospecifiedprocess

SsCB Thismoduleprovidesthefollowingfeatures:

• Makesscreenshotsofaspecifiedwindow,orthewholedesktop • Stealsdatafromclipboard

• Collectsinformationaboutopenedwindows:title,size,position • CancloseanywindowbysendingWM_CLOSEmessage • ShowsspecifiedwindowbycallingShowWindow • Collectsinformationaboutactivedesktop,activewindow,nameofaprocessthatcreatedthis

window,titleofawindow,keyboardlayout

ffproxy CollectsinformationrelatedtoproxysettingsforallMozillaprofiles.

• Frompref.js:CollectsHTTPandSSLproxies,autoconfig_url(containslocalorremoteURLtoProxyAutoConfigurationfile,forinstance,whenproxysettingsaremanagedremotely)

• Fromsignons*files:retrievesdomain,portandusernamewithpasswords,ifavailable • signons.sqlite for3.5-32.0versions • signons3.txt for3.0-3.5versions • signons2.txt from1.5.0.10and2.0.0.2to3.0versions • signons.txt forlowerversions

NeedleWatch ThiscomponentisinjectedinalmostallprocessesusingthecoupleGollumAppandCahnadr.Itspiesonthecontentofthebufferspassedtothefollowingfunctions:

• Functionsthatdrawtext • gdi32!ExtTextOutW • gdi32!ExtTextOutA • gdi32!TextOutA • gdi32!TextOutW

• FunctionsthatwritestoConsole • kernel32!WriteConsoleA • kernel32!WriteConsoleW

• FunctionusedforrenderingunicodetextbyUniscribelibrary • usp10!ScriptShape

• FunctionusedforrenderingtextbyDirectWrite • dwrite!DWriteFontFace::GetGlyphIndicesW

• FunctionsusedforencryptionanddecryptionbySSP(SecuritySupportProvider) • secur32!EncryptMessage • secur32!DecryptMessage

• FunctionsfromNetscapePortableRuntime • nspr4!PR_GetUniqueIdentity • nspr4!PR_Read • nspr4!PR_Write

Theimplementationisbasedonhooks.Eachhookissetasoneoftheprivilegedinstructionsplacedatthebeginningofthefunction.Beforeplacinghooks,NeedleWatchregistersanexceptionhandlerbycallingAddVectoredExceptionHandler,sowhenthehookedfunctioniscalled,thefirstinstructionraisesanexceptionwhichishandledbyNeedleWatch.InthemalwareexceptionhandlerNeedleWatchcallstheoriginalfunctionandextractsallthesent/receiveddata.

Functionsfromthesecur32andnspr4modulesarethemostinterestingones.

EncryptMessageandDecryptMessagearefunctionsoftheSecuritySupportProviderInterface,notlinkedtoanySecuritySupportProviderinparticular,sohookingthesefunctionsallowsNeedleWatchtospyoneveryprovider:Digest,Kerberos,NTLM,Schannel,oranyotherone.

NeedleWatchcanalsoreadencryptedMozillatrafficasfollows:NetscapePortableRuntime(NSPR)providesaplatform-neutralAPIforsystemlevelandlibc-likefunctions.TheAPIisusedinMozillaclients,manyofRedHat'sandOracle'sserverapplications,andothersoftware.InI/ONSPRoperateswithfiledescriptorsthatcanbelayered.Whenread/writeoperationsoccur,NeedleWatchchecksthelayerofthefiledescriptorandifitisNSS(NetworkSecurityServices),SSLoranyotherSSL-basedlayer,NeedleWatchstoresthedatafromthebuffersentintheI/Ooperation.

Sfc2 DisablesWindowsfileprotection,makingsfc.exeutilitybelievethatthepatcheddisksystemlibrary(scesrvorspoolsv)isnot.

Thisispossiblebypatchingwcp.dllintheTrustedInstaller.exeprocess.Basedontheexportedwcp!RtlParseManifestMicrodomIntoCdffunction,Sfc2searchesfortheaddressofthenon-exportedwcp!GetRootElementfunctionandcallsitinordertoretrievethe_XMLWALK_ELEMENT_DECLstructure.Oncereturned,thisstructurewillbepatchedatthe0x34offsetwith0insteadof0x1E.

Inx64versionithooksZwCreateFileandZwOpenFileinthesamewayasdescribedintheNeedleWatchsection.Ifthehookhandlerfoundthatthefileobjectnamepassedtofunctionpointstoscesrv.dlllibraryinsystemorinwinsxsdirectory,malwarechangestheobjectnametoscesrv.dlllocatedinwinsxs\backupdirectory.So,whentheprocessistryingtocheckpatchedscesrv,hooksmakeitsothatanunpatchedbackupfileischeckedinstead.

AdditionalTechnicalDetails Afteranalyzingthemaincomponentsofthisframework,westillwanttohighlightsomespecifictechnicaldetailsandespeciallyinterestingrelatedartifactsinthissection.

Packer AllsamplesarepackedwithapreviouslyunknownpackerthattransformscustomPEsampleintobase-independentcode.Thisway,thepackerallowstocompilenewcomponentsofthisAPTasordinaryPEfilesand,afterunpacking,theycanusethemasabase-independentcode.

Thathelpstoembedthemintoothersamples,amongotheradvantages,suchaseasyprocessinjectionorinfectingsystemlibraries.Othertypicaladvantagessuchassmallercodeandhidingfunctionalityarealsoprovided.

Afterpackingtheresultingstructureisasfollows:

1. Header,0x400byteslong2. Unpackerstub3. Dataforunpacking

Theheader,initialbase-independentcodeandalldatathatisnecessaryforunpackingareshownbelow:

Someofthereservedparameterswillbeusedinternallybytheunpacker,othersarethereforfutureimprovements.Inlaterversionsofthispacker,moduleandsectionnamesareencryptedbyasimpleXOR-basedalgorithm.

Thevalueatoffset0x198containsthevirtualaddressofafirstsectiondescriptor.Eachsectionisrepresentedinthisstructurewithsixfields:sectionRVA,characteristics,realsize,packedsize.Ifrealsizeisnotequaltopackedsizeifmeansthatthissectionisencrypted.Thelasttwofieldsarereserved.Afterthedescriptor,thereisadatasection,followedbymoredescriptorswiththesamestructure.

ThepackingalgorithmisbasedontheAplibcompressionlibrary:

1. PackseachsectionwithAPlibcompression2. ReplacestheoriginalPEheaderwithanewonegeneratedbythepacker3. Addsastubwiththedecryptroutine

Base-independentcodedecryptroutineworksasfollows:

1. ObtainstheaddressesofGetProcAddress&LoadLibraryfunctions2. AllocatesmemoryfortheoriginalunpackedPE-file3. Unpacksallsectionsandwritesthemintheallocatedmemory4. SetsrightsforeachsectionbycallingVirtualProtect5. Restorestheoriginalimporttable6. Fixesrelocations;workswithexceptions:forx64imagesaddsexceptionhandlers

(RtlAddFunctionTable),forx32patchesntdll!RtlIsValidHandlersoitalwaysreturnstrue7. Wipesallheadersandreturnsexecutiontotheoriginalentrypoint

SlingDll.DllandMinislingmodules ForsomevictimswefoundthatattackersdidnotuseSlingshot.Instead,theyusedtwocomponentsnamedSlingDll.dllandMinisling. SlingDllistypicallylocatedinsystem32folderasastandaloneDLLwitharandomnameandloadedbysvchostviaCOMObjecthijacking(CLSID=6C19BE35-7500-11D1-AD94-00C04FD8FDFF).Itusesmodule_id0xFF000008forfixingSlingDll.dllexporttableinruntime.ThenitobtainsthepathtoaMZPEsamplefrommodule_id0xFF000008:

andfillstheexporttablewithlinkstotheexportedroutinesofthisfile(DLL-forwarding).Thisway,whenSlingDll.#1iscalled,esscli.#1willberun.Theexporttableinmemorylookslikethis:

SlingDll.dllalsousesasmarttrick.Itsimageinmemorylooksinitiallylikethis:

ThenitcopiesthewholeimagetoheapandUnmapViewOfFiletounloadSlingDll.Dllimage.Afterthat,itallocatesnewmemorybycallingVirtualAllocwiththesamestartaddressandsizethattheunloadedimagehad.Finally,malwarecopiesalldatafromheapbacktotheallocatedmemory,resultinginthefollowing:

AtthatmomenttheimageisunloadedbutkeepsworkingbecauseImageBaseisthesame.

ThelastthingthatSlingDll.dlldoesisruntheMinislingmodule.

Minislingusesaglobalmutex(Global\{6D29520B-F138-442e-B29F-A4E7140F33DE})toensureitisrunonlyonce.Itchecksifoneofthefollowingdriversisloadedintomemory:DepFrzLo.sys,DeepFrz.sys,DfDiskLo.sys;andifnoneisfounditcheckshowmanytimestheoperatingsystemwasrebootedbeforecorrectlyshuttingdown.ThisisdonebycomparingEventRecordIDfromETW-logs:malwaregetsthisvaluebysendinganXML-requestswithEventID=12andProvider.Name=Microsoft-Windows-Kernel-Generalinordertoobtainthelastreboottime,andwithEventID=41andProvider.Name=Microsoft-Windows-Kernel-Powertoobtainthelastunsuccessfulattempttoturnthemachineoff.

Whenthelimitofrebootsisreached,Minislingdeletesitself.Incaseswhenthecomputerwassuccessfullyrebooted,thecounterissetto0.Ifoneofthedriverslistedaboveisloadedorifthecounterlimitisnotreached,Minislingstartsfindingandexecutingloadersinthesamesequenceaspreviouslydescribed.

InfectedMikrotikDevice-chmhlpr.dll MikrotikisaLatviannetworkhardwareprovider.Formanagingtheirrouters,thiscompanyprovidestocustomerswithsoftwarecalledWinBoxthatdownloadsanumberofDLLsfromtherouter’sfilesystemandloadsthemdirectlyintothecomputermemory.Thisisitsnormalbehaviorbydesign.

Alibrarycalledip4.dllwasaddedontotherouterbytheattacker.Afteritwasadded,theWinboxsoftwarestartedtodownloadandrunit–wearenotsurewhy.

Duringourresearch,wefoundseveralvictimswhoseMikrotikrouterswerehacked,resultinginitreturningasuspiciousip4.dllfilewiththeinternalnamechmhlpr.dll.Indeed,thisDLLisaTrojan-DownloaderrelatedtoSlingshot.

ThatmakesusbelievethatSlingshotisabletotargetvictimsbydirectlyinfectingMikrotikroutersinordertoabusethismechanismusedbyWinBox.Wedonotknowhowtheserouterswerecompromised,howeverWikileaks´Vault7describestheuseoftheChimayRedexploittocompromisesuchdevices.TheexploitisnowavailableonGitHub.

Mikrotik´sofficialforumdeclaresthatthisexploitonlyworksuntilRouterOSv.6.38.4,howeverthisparticularvictimwasrunningversion6.38.5ofthefirmware,makingitunclearwhetherthisversionisstillvulnerableorifattackersusedadifferentone.WecontactedMikrotikandreportedthisattackprocedure.AccordingtoMikrotik,latestversionsofWinBoxnolongerdownloadtheipv4.dllfilefromtherouter,closingtheattackvector.

Thefollowingtablesummarizesmaliciousipv4.dllfilesabusingthismethod:

MD5 Size Filelocation

042CC382ACB5B2B70C78BAA77BB7C5F9 43520 %AppData%\Roaming\mikrotik\winbox\5.20-3610090039\ipv4.dll

AFAFF3310D8C094774DA6BA856C1A30E 43520 %AppData%\Roaming\Mikrotik\Winbox\5.20-3610090039\ipv4.dll

01C85EE057B6B529891C0A4275A642DA 43520 %AppData%\Roaming\Mikrotik\Winbox\6.33.1-1338332867\ipv4.dll

87A28A99697452A37FC229B3AA3AFE97 43520 %AppData%\Roaming\mikrotik\winbox\6.38.5-3172206015\ipv4.dll

chmhlpr.dlldownloadsamaliciouspackedMZPEtoexecute.Thislibraryhasfourhardcodedparameters:

• IPfordownloadingthepayload.Inthesamplethatwefound,thepayloadwaslocatedinthesamecompromisedMikrotikrouter(192.168.88.1).

• Porttoconnectto(4443inoursample). • Numberofconnectionattempts(3inoursample). • Delaybetweenattempts,inseconds(90secondsinoursample).

IfnoIPishardcoded,itwaitsforanincomingconnectiononthespecifiedport.

Onceitgetsconnectionitsendsthemagicvalue0x43237FB2andwaitsforthepackedmodule.Itchecksforaconstantat0x84offset,lookingfor0xDEADFOODinordertounpackandloadthiscode.Thenitsharesthesocketoftheestablishedconnectiontothenewmoduleandrunsit.

Thedownloadercanalsouseaproxyinformationdetailedin:*UserSID*\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyServer

Itsearchesforproxycredentialsin:

• Windowsprotectedstorage,whereItemNameparametercontainsproxydomain • CredentialsfromIEasdocumentedhere

KPWS ThereisasecondTrojan-Downloadercalled‘kpws’designedtodownloadanotherSlingshotcomponentandrunit.Unlikechmhlpr,itcan´tconnectoverproxies,can’tlistenforconnection,parametersaresetincmdline(embeddedinpackedMZPE)anditactivelyuseslogging.

Themaindifference,however,wouldbethemagicconstantsentasfirstpacket,setto0xC0FFEE43.ThistoolcontainsareferencetoSmeagol(Gollum’soriginalnameinTheLordoftheRings)whichactuallyreferstoGollumApp.

Additional downloaders ‘Rc’downloader Thiscomponentnamed‘rc’hasthesameinputparametersaschmhelp.dllandthesameoutputaskpws.Itprovidesthefollowingfunctionality:

• Resolvesenvironmentvariables.

• Sendsinfoaboutfilesindirectory:path,size,datemodified. • Writefiles,sendsfiles. • Sendsinfoaboutrunprocesses:PID,PPID,creationtime,nameoftheexecutablefileforthe

process,accountnamewithdomain,isprocessrununderWow64. • TerminatesprocessbyPID. • ImpersonatesuserbyloginandpasswordreceivedfromserverorbyprocessPID. • Revertstoselfafterimpersonation. • Createsprocess.Ifimpersonationwassuccessfulthancreationtakeplaceonbehalfof

impersonateduser. • Communicateswithcreatedprocess. • Sendsnameofthelocalcomputer,Windowsversion,buildnumber,installedservicepack. • Sendsusername. • Migratestoanotherprocess:infectsprocessbyPIDwithitselfinmemory.Socketconnectedto

serverispassedtoo. • Migratestoanotherprocess:pathtoprocesstobecreatedisreceivedfromserver.Injectisonly

inmemory.Socketconnectedtoserverispassedtoo.Wheninjected,malwaredownloadsandrunsnextSlingshotcomponent.

• Downloadsandconfiguresnewmodule,thenrunsitinnewthreadincurrentprocess.Allloggingofnewmodulewillbesendtoserver.

Theconfigurationofanewmodulecanbeonlydonethroughcommandline(embeddedintheheaderofthepackedcomponent)andconsistsofreceivingitfromtheC2server,parsingitandinsertingitintothedownloadedsample.

Thisseemsastrangebehavior,asthereisnoneedtodoallthisonthevictimside.

Interestingly,‘rc’logsinsomevictimsshowedconnectionstothe2869/1900/5431ports,linkedtovulnerabilitiesinpreviousUPnPprotocols.Thismightbeanotheronecluethatattackersusedvulnerableroutersasinfectionvector.

Sporkdownloader Thisisthelastdownloaderwehavefound,quitedifferentfromtheonesdescribedabove:

Notasinterestingasitsmainduty(downloadsandrunapayload)isitsimplementation.Thismoduleintroducesaruleenginewithembeddedserializedrules.ThisisintendedtofindsomePersonalSecurityProducts(PSPs)thatsuittherulesamongthestartedprocesses.Thisisusedtodecidetowhichprocesstheembeddedmaliciousshellcodewillbeinjected.

Rulesareserializedaccordingthefollowingscheme:

• Bytecount_rules,count_PSPs. • Ruleall_rules[count_rules](6or8bytesperruledependingonsporkversion-yellow). • Shortoffsets_to_PSP_names[count_PSPs](purple). • CharPSP_names[count_PSPs][](green).

Eachruleconsistsof6fields:

• ProcessnameofthePSPrepresentedasindexinoffsetsarray. • Arrayofnamesofprocessestoinjecttoasindexviewtoo(somebelowwillbedescribed). • MinversionofthePSP. • MaxversionofthePSP. • Flags:forexample,x32/x64. • Typeusedasresultwhenrulewasfound.

Sporkenumeratesallthestartedprocesses,checkingeachofthemwitheachrule.Ifanyprocessmatchesatleastoneofthem,itdecideswhethertoinjectcodeintoitdependingonthetypeofthematchedrule.Typecanbeanyofthefollowingvalues:

• Type0:default • Type1:error • Type2:injectintomatchedPSP • Type3:injectintolsass.exe • Type4:injectintowinlogon.exe • Type5:injectintosvchost.exe • Type6:injectintoprocessspecifiedinsecondfieldofmatchedrule

Ifnoprocessmatchesanyrules,thenthedefaultprocess‘svchost.exe’isusedforinjection.

Thematchingprocesswitharulecanbesummarizedasfollows:

• ProcessnameisequaltothePSPnameinrule • VersionofthePSPisinsidetheboundsspecifiedintherule • Processsuitsallflagsthataresetintherule

TheversionofPSPisdeterminedbysequencecallstoGetFileVersionInfoandVerQueryValuetogetdwProductVersionMSfield,whichcontainsthenumberoftheproductthisfile(PSP)wasdistributed.

ThefollowingtablesummarizesthefoundPSPwiththeprocesstoinject:

foundPSPname versions bitness processtoinject

avfwsvc.exe 00-ff x32 avguard.exe

avfwsvc.exe 00-ff x64 inssda64.exe

avgtray.exe 00-ff x32 avgtray.exe

avgtray.exe 00-ff x64 avgsrmaa.exe

avp.exe 01-07 x32-x64 winlogon.exe

avp.exe 08-0c x32 avp.exe

avp.exe 08-0c x64 lsass.exe

avp.exe 0d-0d x32-x64 lsass.exe

avastui.exe 00-ff x32 avastui.exe

avastui.exe 00-ff x64 winlogon.exe

avgnt.exe 00-ff x32 avguard.exe

avgnt.exe 00-ff x64 inssda64.exe/avshadow.exe

avgui.exe 00-ff x32-x64 winlogon.exe

bdagent.exe 00-ff x32-x64 bdagent.exe

cfp.exe 00-ff x32-x64 cfp.exe

casc.exe 07-08 x32-x64 svchost.exe

casc.exe 05-06 x32-x64 error

defenderdaemon.exe 00-ff x32-x64 error

egui.exe 00-ff x32-x64 default-svchost.exe

fsdfwd.exe 00-ff x32-x64 default-svchost.exe

mcagent.exe 00-ff x32-x64 winlogon.exe

rstray.exe 00-ff x32 rstray.exe

rstray.exe 00-ff x64 error

rtvscan.exe 00-ff x32-x64 default-svchost.exe

tmproxy.exe 00-ff x32-x64 tmproxy.exe

umxcfg.exe 07-08 x32-x64 default-svchost.exe

umxcfg.exe 05-06 x32-x64 error

zlclient.exe 00-ff x32-x64 error

Insteadofinjectingthemaliciouscodeinalreadystartedprocesses,sporkcreatesanewprocessoftheselectedimage.Processiscreatedwiththe:flagshide,createnowindow,defaultinsteadofloadingcursorandsuspended.Thenitcreatesanewsection,fillsitwithmaliciousshellcodedependingonthecreatedx32orx64processandpatchestheEntryPointsothatitcallstheshellcode.ThelaststepiscallingResumeThreadtorunit.

ThenewshellcodeloadsitsneededlibrariesbyparsingPEB,connectstoitsC2(specifiedincmd-line),sendstoitconstant0xC0FFEE44or0xC0FFEE43dependsonprocessbitness,downloadsthemalwarefromthereceivedanswer,passestoitsocketusedfortheconnectionandruns.Unlikeallthepreviouslydescribeddownloaders,itdoesn’tcheckfor0xDEADFOODat0x84offset.

Victims Usingourtelemetry,wewereabletofindalmostonehundredvictims,mostofthembasedintheMiddleEastandAfrica.Thefollowingchartshowsthepercentageofvictimspercountry:

Conclusions ThediscoveryofSlingshotrevealsanothercomplexecosystemwheremultiplecomponentsworktogetherinordertoprovideaveryflexibleandwell-oiledcyber-espionageplatform.Themalwareishighlyadvanced,solvingallsortofproblemsfromatechnicalperspectiveandofteninaveryelegantway,combiningolderandnewercomponentsinathoroughlythought-through,long-termoperation,somethingtoexpectfromatop-notchwell-resourcedactor.Allthisframeworkisdesignedforflexibility,reliabilityandtoavoiddetection,whichexplainswhythesecomponentswerenotfoundformorethansixyears. Thislong-termcampaignseemedtobefocusedonAfricaandtheMiddle-Eastregion,butobviouslyourtelemetryonlyofferspartialvisibilityandthiscouldbejustasubset. Intermsofattribution,wehavenotbeenabletofindanydefinitivelinkstoanypreviouslyknownAPTs.SomeofthetechniquesusedbySlingshot,suchastheexploitationoflegitimate,yetvulnerabledrivershasbeenseenbeforeinothermalware,suchasTurla,Equation’sGrayfishplatformandWhiteLambert.MostofthedebugmessagesfoundthroughouttheplatformarewritteninperfectEnglish.ThereferencestoTolkien’sLordoftheRings(Gollum,Smeagol)couldsuggesttheauthorsarefansofTolkien’swork. OneinterestingpointisthepossibilityofabusingMikrotikdevices(andmaybeothernetworkhardwareproviders)asinitialinfectionvectorforsomevictims.Wecan´texcludeotherspreadingmethodsforthiscampaign,giventheversatilityofthisactor.

AppendixI-Scripts

Stringdecryption Insteadofstoringstringsinrawview,somecomponentsstorestheminencryptedviewanddecryptswhenit’sneeded.Thisfunctionimplementsdecryptionwhichcanbeusedforfurtheranalysis. def get_name(name): key = bytearray(b'\xE0\x80\xC5\xAF\xB5\xD7\xC4\xA1\xBD\xBA\xE4\xDA\x96\xBF\x9A\x8A\x9A\xA8\xBE\xD2\x85\x84\xC4\xB0\xAA\xEA\xD8\xAC\xC4\xF3\xAF\x00') size = len(name) ind = ((((0xFFFFFFFF84210843 * size) // 2 ** 32) + size) % (2 ** 32) // 16) ind = ind + ind // 2 ** 31 ind = size - ind * 31 for i in range(len(name)): key_i = key[ind] name[i] ^= key_i ind += 1 tmp = ( 0x8421085 * ind ) // 2**32 ind -= (((ind - tmp) // 2 + tmp) // 16) * 0x1F return name

Sporkrulesviewer Asmentionedabove,sporkcontainsserializedrulesusedbyrulesenginetocheckwhichPSPisinstalled.Thisscriptprintsrulesinreadableviewfortwotypesofdatabases(6or8bytesperrule): import argparse import struct def get_byte(data, offset): byte_range = data[offset : offset + 1] return struct.unpack('<B', byte_range)[0] def get_short(data, offset): byte_range = data[offset : offset + 2] return struct.unpack('<H', byte_range)[0]

class rule: rule_size = 8 def __init__(self, raw_rule): self.index_process_name = get_byte(raw_rule, 0) self.index_process_to_inject = [get_byte(raw_rule, 1)] offset = 0 if rule_size == 8: offset = 2 if get_byte(raw_rule, 2) != 0:

self.index_process_to_inject.append(get_byte(raw_rule, 2)) if get_byte(raw_rule, 3) != 0: self.index_process_to_inject.append(get_byte(raw_rule, 3))

self.min_version = get_byte(raw_rule, 2 + offset) self.max_version = get_byte(raw_rule, 3 + offset) self.flags = get_byte(raw_rule, 4 + offset) self.type_of_action = get_byte(raw_rule, 5 + offset)

class rule_db: def __init__(self, input_file): data = bytearray(open(input_file, "rb").read()) self.rules_count = get_byte(data, 0) self.strings_count = get_byte(data, 1) self.rules = [] for i in xrange(self.rules_count): self.rules.append(rule(data[2 + i * rule.rule_size : 2 + i * rule.rule_size + rule.rule_size])) self.offsets = [] self.strings = [] for i in xrange(self.strings_count): self.offsets.append(get_short(data, 2 + self.rules_count * rule.rule_size + i * 2)) curr = start = self.offsets[i] while data[curr] != 0: curr += 1 self.strings.append(str(data[start : curr])) def print_info(self): for rule in self.rules: process_to_inject = 'svchost.exe' if rule.type_of_action == 1: process_to_inject = 'error' elif rule.type_of_action == 2: process_to_inject = self.strings[rule.index_process_name] elif rule.type_of_action == 3: process_to_inject = 'lsass.exe' elif rule.type_of_action == 4: process_to_inject = 'winlogon.exe' elif rule.type_of_action == 6: process_to_inject = '/'.join([self.strings[i] for i in rule.index_process_to_inject]) bitness = 'x32-x64' if rule.flags == 1: bitness = 'x32' elif rule.flags == 2: bitness = 'x64'

print ('PSP: %s\tversion: %02x-%02x\tbitness: %s\ttarget: %s' % (self.strings[rule.index_process_name], rule.min_version, rule.max_version, bitness, process_to_inject) )

parser = argparse.ArgumentParser() parser.add_argument('input_file') args = parser.parse_args()

for rule_size in [8, 6]: try: rule.rule_size = rule_size db = rule_db(args.input_file) db.print_info() break except: continue

AppendixII-Indicatorsofcompromise

MD5 042cc382acb5b2b70c78baa77bb7c5f9 11ccc2c5811c80f2a796817d9ccbe34b 142970f7e10e3a49e583b2f557dcbe79 64f705e55545a371e0f5e599cfbae5e9 6637dbcc6059a1e2e45956d98a3ea590 706269c041d94c4501b78c128f1c0e70 7fb82333aa08f4bfbbfa515e7e93bad4 87a28a99697452a37fc229b3aa3afe97 afaff3310d8c094774da6ba856c1a30e b7a2525e05769540f48733d5673a77fa c638169aaa777d4f6eae43205a39e274 db71aed3b9ffbbfa4c49db036520ceeb f4944c5d47907ce93819aed8c4f76bcc MoreindicatorsareavailabletoKasperskyLabprivatereportsubscribers.Pleasecontactintelreports@kaspersky.com