Upload
trinhquynh
View
241
Download
2
Embed Size (px)
Citation preview
The Slingshot APT Version:1.0(06.March.2018)
ExecutiveSummary Whileanalysinganincidentthatinvolvedasuspectedkeylogger,weidentifiedamaliciouslibraryabletointeractwithavirtualfilesystem,whichisusuallythesignofanadvancedAPTactor.Thisturnedouttobeamaliciousloaderinternallynamed‘Slingshot’,partofanew,andhighlysophisticatedattackplatformthatrivalsProjectSauronandReginincomplexity.
Theinitialloaderreplacesthevictim´slegitimateWindowslibrary‘scesrv.dll’withamaliciousoneofexactlythesamesize.Notonlythat,itinteractswithseveralothermodulesincludingaring-0loader,kernel-modenetworksniffer,ownbase-independentpacker,andvirtualfilesystem,amongothers.
WhileformostvictimstheinfectionvectorforSlingshotremainsunknown,wewereabletofindseveralcaseswheretheattackersgotaccesstoMikrotikroutersandplacedacomponentdownloadedbyWinboxLoader,amanagementsuiteforMikrotikrouters.Inturn,thisinfectedtheadministratoroftherouter.
Webelievethisclusterofactivitystartedinatleast2012andwasstillactiveatthetimeofthisanalysis(February2018).Weobservedalmostonehundredvictimsinthefollowingcountries:Kenya,Yemen,Libya,Afghanistan,Iraq,Tanzania,Jordan,Mauritius,Somalia,DemocraticRepublicoftheCongo,Turkey,SudanandUnitedArabEmirates.
Thispaperinanutshell: • Slingshotisanew,previouslyunknowncyber-espionageplatformwhichrivalsProjectSauron
andReginincomplexity • Slingshothasbeenactivesinceatleast2012untilFebruary2018 • WeobservedalmostonehundredSlingshotvictims,mainlyintheMiddleEastandAfrica • TheattackersexploitedanunknownvulnerabilityinMikrotikroutersasaninfectionvector
TechnicalDetails Duringtheanalysisofanomaliesfromasystemsuspectedofbeinginfectedwithakeylogger,wefoundaninterestingartifact.ThissystemhadaDLLcalled‘scesrv.dll’(thissamenameisusedbyasystemDLL)containingstringsthatseemedrelatedtoVirtualFileSystemhandling.
Thiswasindeedapatchedsystemlibrary,loadedbyservices.exewithSYSTEMprivileges.WecalleditSlingshot,basedoninternalstrings.
Slingshotisaloaderthatusesdifferentcomponentsassummarizedintheschemabelow.Thefollowingsectionsprovideatechnicalanalysisforallofthem.
Slingshot Slingshotisaloaderusedasafirststager.ItreplacesanexistingsystemDLLwithamaliciousoneofexactlythesamesize.Wenoticedthattheattackersreplacescesrv.dllmoreoftenthanotherDLLs,butinsomecasesattackersalsoreplacedspoolsv.exe.
ThesystemDLLpatchingisoneofthemosttechnicallyinterestingfeaturesofthisloader,anditworksasfollows:
• Insertsallnecessarymodulesintothevictim’ssystemDLLfile,compressingpartoftheoriginalfileinthemalware´sdatasectiontoretainthesamesize.
• Changestheentrypoint,pointingtooneoftheaddedloaders.LoadersarewrittenintheinfectedDLLasbase-independentcode.
• CalculatesthenewchecksumoftheDLL. • Whenstarted,afterexecutingallmaliciousactions,themalwarerestorestheoriginalcodeof
thesystemDLLinmemory.
Eachaddedmaliciousmodulehasthefollowingstructure:
{uintmodule_id,uintmodule_size,chardata[module_size]}.
Actually,themalwareitselfondiskisanarrayofmodules.
Fig. 1 GreenistheID,yellowsizeinbytes,redtheencrypted‘Slingshot’word.
Forinstance,thedescribedloader(6637DBCC6059A1E2E45956D98A3EA590)hasthevaluemodule_id=0xFF000001andcontainstheencryptedword‘Slingshot’.Initsentrypointitdirectlyjumpstothemaliciouscodewith‘jmp758E618C’.
Themaliciousmoduleislocatedrightaftertheheader.Actually,thiswouldbetheunpackerfortheembeddedMZPEmodule.TheoriginalentrypointaddressandthechecksumoftheDLLarestoredinthemodulewithmodule_id=0xFF000003.Theoriginalcodeisstoredinthemodulewithmodule_id=0xEF000007.
Thismoduleusesthefollowingparameters:
Ss-a24964-s163007-o8-l313856-r24964-z228584
where:
• L–Sizeoftheinfectedlibrary • R–RVAofpatcheddatainlibrary(wherethemalwarecodestarts) • A–RVAofmodulesarray,24964=0x6184=>ImageBaselibrary.758E0000 • S–sizeofmodulesarray,163007=0x27CBF=>intheinfectedlibrarymodulesareembedded
from.758E6184to.7590DE43address • O–offsetfromthebeginningofthecompressedMZPEfiletillthemoduleslist.Usesforfinding
themodulesarray(address.758E6184inapictureabove) • Z–Maximumdatasizethatwillberestoredintheoriginallibrary
Toensurecorrectexecutionandavoidsystemcrashes,SlingshotrestorestheoriginallibrarydatastoredinImageBase+RtoImageBase+R+Zinmemory.
Incasethemaliciousmodulescan´tbeembeddedintothetargetsystemlibrary,Slingshotusesanadditionalfileondisk.Thepathforthisfileisstoredinthemodulewithmodule_id0xFF000006.Itcouldbeahardcodedpathintherecyclerbin(firstdwordis0x12000006O);or,ifthefirstdwordis0x12000007,malwaretriestoreadthisfiledirectlyfromthePhysicalDriveobjectbycalling:
CreateFile(\\\\.\\PhysicalDrive+drive_number),SetFilePointer,ReadFile.
Module_id0xFF000007storestheencryptionkeyinmodule_id0xCF000009:thismoduleiscalledCahnadrandthisisthemainkernelmodeloaderimplementingalmostallthepayloads.
Afterloadingadditionalmodules,SlingshotpassestheexecutiontoCahnadr.
Ring0loader Thisloaderiscompressedinmodule_id0xBF000001.Actually,theremightbemorethanone,soincasethefirstloaderfails,theremaybeasecondloaderinthebinarywithmodule_id0xBF000002.Atthisstage,Slingshotusesitsinternalloggingsystemactively:
Slingshotchecksifthereisanykernel-modepayloadandanyloaderavailable,andthentheloadersarerunoneaftertheother.
Uponstarting,thisloadergetsSeLoadDriverPrivilegeforinstallingmaliciousdriversintothesystemthatitwilllaterabuseforobtainingkernelprivileges.
Inordertoavoidleavinganytracesofthisactivityinsystemlogs,itrenamestheETW-logs,andfortheSecurityandSystemlogsaddsthe.tmpextension.Afterexecution,theloaderremovestheextensions.
ThefinalgoalofthismoduleistoloadtheCahnadrmodule(kernelmodemainpayload,describedbelow)intokernelmode.Aspreviouslystated,Slingshothasdifferentwaystoloadcodeintokernelmode,eachusingitsownloader.
Thesimplestloaderisusedfor32-bitsystemswhereDriverSignatureEnforcement(DSE),whichrequiressigneddrivers,doesnotapply.Thisloadersimplysavesthedriverondiskandloadsit.
Whenthedriverisloaded,theloadersharesthemaliciouspayloadwithitbycallingDeviceIoControlwithcontrolcode0x222000.
Thisdriverreceivescommandsfromtheuser-modeloaderviaDeviceIoControl.TheonlyavailablecommandinthiscaseallowsrunningthiscodeasaWorkItemintotheSystemWorkerThreadspool,whichisapoolusedbylegitimatesoftwareforrunningquicktasks.
IncaseswheretheoperatingsystemsupportsDSE,theloaderexploitsacoupleoflegitimatebutvulnerabledriversthatallowwritinginMSRregisters.SuccessfulexploitationofthedriverswouldallowtosetintheMSR_LSTARregisterahandlerthat,afterrunningSleep,callsCahnadr:
Inordertopreventpatchprotection,thehandlerrestorestheoriginalMSRregister.
Thisloaderleveragesthefollowingdrivers:
312E31851E0FC2072DBF9A128557D6EF Goad.sys–driverforx86systems 5F9785E7535F8F602CB294A54962C9E7 SpeedFan.sys-CVE-2007-5633 9a237fa07ce3ed06ea924a9bed4a6b99 Sandra.sys-CVE-2010-1592 978CD6D9666627842340EF774FD9E2AC ElbyCDIO.sys-CVE-2009-0824 Itisimportanttomentionthatthedigitalsignaturesinthesedriversarestillnotrevoked.
Allthedriversaboveareloadedintothekerneldirectlybycreatingtherequiredkeysintheregistryandcallingthentdll!NtLoadDriverfunction.TheservicekeynameintheregistrystartswiththePCX*prefix.
Cahnadr–mainkernel-modepayload
Thispayloadcanbeconsideredthemainorchestrator,runninginkernelmodeandprovidingthenecessarycapabilitiesforalltheother,user-modepayloads.Thiscomponentisresponsiblefordifferentfeatures,including:
1. Anti-debuggingactionsandcheckingifthekernelispatchedornot2. Callingsystemservicesdirectlytohidemaliciousactivities3. HooksKTHREAD.ServiceTableforthreads4. Rootkitactionsforhidingtraffic5. Injectinguser-modepayload(mainmaliciouspayload)intoservices.exe6. ProvidingmaliciousAPIforuser-modemodules7. Providingcommunicationsvianetwork8. NotifyingGollumApppayloadaboutprocess-relatedevents,providinginterfacesfor
manipulatingtheirmemory9. Monitoringallnetworkdevices10. Providingsnifferfunctionalityonthefollowingprotocols:ARP,TCP,UDP,DNS,ICMP,HTTP
Anti-debugtechniquesinclude:
• Ifkernelisalreadybeingdebugged,itcallsKdDisableDebugger()terminatingthedebuggingprocess
• IthooksLiveKddebuggerdriver'sroutinesIRP_MJ_CREATE,IRP_MJ_READ,FastIoDeviceControl
• InstallsnotifierstomonitorPsSetLoadImageNotifyRoutine.IftheLoadImageNotifyeventhappenswhenLiveKdD.sysisloaded,themodulepatchestheentrypointthatleadstoerrorSTATUS_FAILED_DRIVER_ENTRY
Inordertodetectifthekernelispatched,itchecksthekernelimageinmemorywiththefollowingkernelfilesondisk:
• \\SystemRoot\\system32\\kernel_name • \\SystemRoot\\LastGood\\system32\\kernel_name • \\SystemRoot\\$*\\system32\\kernel_name
Fornewerx32versionsitalsocheckswin32k.sysatthesamepaths.
ItisimportanttonotethatCahnadrchecksonlyCheckSumandTimeStampvaluesforthekernelimageinmemory.Ifoneofthemisdifferent,itmeansthatthekernelwaspatched,anditterminatesitsexecution.
Actually,itneedsanunpatchedkernelandwin32k.systogettheoriginfunctionfromKeServiceDescriptorTableandKeServiceDescriptorTableShadow,whichwillbeusedtodirectlyinteractwithsystemservicesandhookingtheKTHREAD.ServiceTableonx32systems.
Inordertohidecalls,itcanassociatesystemservicestosomeZw*,Rtl*,Nt*functions.InsteadoftakingtheaddressesforthesefunctionsfromSSDT,Cahnadrextractsthemfromthekernelimageondiskforunpatchedkernels.
Italsoimplementscodetofindafunctionaddressbyitsnamebycomparingexportedroutinesfromntdllandntoskrnladdresses:iftheaddressoftheexportedfunctionsisthesameasthesystemserviceaddress,itmeanstheaddresswascorrectlyfound.
Ntdll.dllexportedfunctionsaddressesarealsotakenfromtheimagestoredondisktoavoidhookssetbyotherprograms.
Forroutinesnotdirectlyoperatingwithsystemservices,Cahnadrhasahardcodedlist:
Notallfunctionsaremandatorytobefound,thereisaflagforeachofthem.Alllistedroutinesareusedforinjectingmaliciouscodeintouser-modeprocesses.
Fornewerx32versionsthislistwashighlyextended,addingdebug-relatedfunctionsandfunctionsforsuspendingandresumingthreadsandprocesses.
Forx32systems,CahnadrhooksKTHREAD.ServiceTable.ItcopiestheKeServiceDescriptorTableandKeServiceDescriptorTableShadow,thenfillsitwiththeoriginalhandlersrestoredfromdiskandchangestheaddressinKTHREAD.ServiceTabletopointertoanewstructure.Thisisusedtoinjectthreadsintousermode:onceacomponentisinjectedasaseparatethread,CahnadrpatchesitsKTHREAD.ServiceTablewiththeoriginalhandlersinordertohideitsmaliciousfunctionalityandavoidpossibleinstalledhooks.
CahnadralsoprovidesthefollowingAPIfunctionality:
• Directdiskaccess:read/writebyraw-offset,defragmentationban,etc.Theseroutinesareusedforworkingwiththevirtualfilesystem
• Read/writeintomemorybyrawaddress • Routinesforinjectingcodeintoaprocessasaseparatethread.Itispossibletosetthethread
stateandchoosethepreferredroutineforcreatingthethread(NtCreateThreadExorNtCreateThread).ForGollumAppitisobligatorytouseNtCreateThread
• Gettheaccesstokenbyprocess_id • GettheSERVICE_DESCRIPTOR_TABLEaddress • GettheDRIVER_OBJECTobjectpointerbydrivername • Getdetailedinformationaboutprocessesopenedincsrss.exe(starttime,timeinkernelmode,
timeinusermode,numberofcallsZwReadandZwWrite,amongofdatareceived/sentviaZwRead/ZwWrite)
• Gethandleforprocess_1inprocess_2.Inotherwords,opensprocess_1fromprocess_2.Thiswayprocess_2getsthehandleofprocess_1
• Closehandlethatbelongstoanyprocess • Providesnetworkfunctionality:addanewnetwork-relatedtask,deleteanoldone,turnon/offa
networktask,sendinformationaboutallactivenetworktaskstoGollumApp • HookstheServiceTableinKTHREADinthespecifiedthreadorprocess(onlyonx32),providing:
setting/deletingahookbyThreadID,setting/deletinghookforallthreadsbyPID,checkingifthread/processwashooked
• Setstimetosleepbeforeshutdown
CahnadrcallsPsSetCreateProcessNotifyRoutine,PsSetCreateThreadNotifyRoutineroutinesinordertoautomateinstallinghooks.Createdprocesseswillbehookediftheirparentprocesswashooked,aswillthreadsiftheirprocesswashooked.
ShutdownnotificationsaredetectedbycallingtheIoRegisterShutdownNotificationroutine.Whenanotificationisreceived,itissenttoGollumAppwiththetimethatGollumAppcanspendforcompletion.WhileGollumAppworks,Cahnadrsleeps.
ItinstallsbugchecknotificationsbycallingtheKeRegisterBugCheckReasonCallbackroutine.WhenanotificationisreceiveditcallsKeBugCheckwiththeundocumentedPOWER_FAILURE_SIMULATEparameter,whichisawaytorebootfromkernelmodewithoutBSODandcrushdump.Thisway,incaseafatalerroroccurs,Cahnadrrebootsthesystemwithoutcreatingamemorydumpondisk.
Thecommunicationbetweenkernelandusermodemodulesisimplementedindifferentwaysforx32andx64components.
Inx64componentsCahnadrsetsIRP-requestshandlersforthe‘null.sys’driver.Eachhandlercontainsa‘jmp’operationtothemaliciouscodelocatedinthe‘null.sys’imageinmemory.ThisishowhooksaretypicallysetinthisAPT,makingthemhardertodetect.Also,theauthorsdecidedtouseIRP-requestsshowninthepicturebelow:
Whilenull.sysuses:
HowevermaliciousandlegitimateIRP-handlershaveaconflictingcomponent,asbothnull.sysandCahnadrcanprocessrequeststoIRP-MJ-CLOSE.That’swhyonlyonehookandthreeordinaryhandlersareset.Afterthat,usermodemodulescansenddatatoCahnadrbycallingCreateFile(\\\\.\\NUL,…)+DeviceIoControl.
Inx32componentsanotherapproachwasused.CahnadrregistersaRegistryCallbackroutinebycallingCmRegisterCallbacktomonitoralloperationsintheregistry.WhenanyusermodemodulesendssomethingtoCahnadritsetstheArbitraryUserPointerfieldoftheTIBpointertotherelateddata,startingwith0x2BADDOOD,andthencallsRegEnumKeyWwhichtriggersthekernelmodecallback.
KernelmoderegistrycallbackchecksthattheregistryoperationisRegNtEnumerateKeyandthenlooksfor0x2BADDOOD:
Iffound,Cahnadrhandlesthecommandandreturnstheresulttothebufferusedintherequest.
Kernel-modenetworkingmodule Cahnadrhooksthefollowingroutinesinordertohideitstraffic,performdifferenttasksandprovideadditionalfunctionalityfortheusermodecomponents:
• ndis!NdisMSendNetBufferListsComplete • ndis!NdisMIndicateReceiveNetBufferLists
Theseroutinesarecallbacksrunbynetworkdriverstonotifyhandlerswithalldatasentorreceived.ThefunctionlistsinPNET_BUFFER_LISTallpacketsandtheirrelatedevent.CahnadrchecksifthereareSlingshot-relatedpacketsinthislist,andifso,removesthem.Let´sexplainthisinmoredetail:
Thetrickisthatallthemalwareisallocatedtoaparticularpoolthatallowsdiscriminatingitfromotherbenigncalls.NdisAllocateNetBufferListPoolcreatesNET_BUFFER_LIST,thatisinitializedcallingNdisAllocateNetBufferAndNetBufferList.Whenthenetworkdriversendsdata,itgetsintosuchaNET_BUFFERstructure,whichinturn,getsintoNET_BUFFER_LIST.ThecallbacksroutineNdisMSendNetBufferListsComplete,thatgetstheNET_BUFFER_LISTswithdatasuccessfullysent,ishooked.MalwaresimplychecksifanyentryinNET_BUFFER_LISTwasallocatedfromthemalwarepooland,ifso,willsimplynotreturnittotheoriginalhandler.
Thissnifferhasalistoftasks,eachoneassociatedwithalistofhandlers.Inboundandoutboundpacketsareexaminedandpassedtotheappropriatetask’sprocessor,whichcallsallhandlersassociatedwiththetask.Theresultdetermineswhethermalwareshouldhidethepackage.
Wehaveseenthreetypesoftask:
HTTP:ThisistheonlyhandlerthatnotifiesGollumApp(usermodepayload,describedbelow)thatHTTPdataisbeingtransferred. ARPf:(twohandlersforthistype).ThefirstonenotifiesGollumAppwhenanARP-requestisreceivedand/orwhenanARP-responseissent. Thesecondonestoresthisinformationinitsinternalstorage,collectinginformationaboutthenetworkstructure.Thistaskisenabledbydefault. IP2f:(twohandlersofthistype).Thefirstonechecksifthepackagecomesfromthemalwareoperators,onlytodecidewhetherthepackageshouldbehidden.ThisisdecidedbyXORingtwoTimestampsvaluesfromtheOptionsfieldintheTCP-header(RFC1323,code0x080A).Iftheresultisequalto0xDEADFOODthenthispackageshouldbehidden.
ThesecondonenotifiesGollumAppthatsomeTCP/UDPorICMPpacketsthatsuitmaliciousfilterswerefound.
Forinstance,forTPCtrafficthisfilterusesthesamedescribedXORprocedurewiththeconstant0xDADAE000,sendingGollumApptheseqNumber,askNumberandsrcportvalues.
ForUDP,packetswithalengthof0x55bytescontainingDNSresponses,itchecksthatthefielddns.Identifierequals0x212.Inthatcase,thepacketishiddenandGollumAppisnotifiedwiththeresolvedIPandTTLofthepacket.
ForICMP,packetscontainingthe«Destinationportunreachable»erroritchecksthattheoverlyingprotocolcontainstheconstant0xE17F(57727).Inthatcase,GollumAppisnotifiedwithip.Destination,ip.identification,ip.length.
Thistaskisenabledbydefault.
ThemalwareidentifiesHTTPtrafficbycheckingtheASKflaginTCPprotocol,andbyfindingtheHTTPsignatureintheTCPpackagebody.Thistaskisdisabledbydefault,howeverGollumAppcanenableit.
Additionally,thiskernelmodemoduleprovidesthefollowingfunctionalityforusermodecomponents:
• ARP-query:obtainstheMAC-addressforaspecifiedIPaddress.Requiresnetworkinterfaceasaparameter
• ARP-reply:sendsitsownMACaddressasaresponsetoaspecifiedARP-request,regardlessofwhethertheIPfromtherequestandtheinfectedcomputerarethesameornot
• Sendscustomnetworkpackage,whereallfieldscanbecustomizedfromtheEthernet-layer • SendscustomIPV4package
CahnadrsupportsIEEE802.11standard,allowingittooperatewithWiFiframes.
NetworkinterfacesaretracedusingPlug-and-PlaynotificationswithEventCategory-PNPNOTIFY_DEVICE_INTERFACE_INCLUDE_EXISTING_INTERFACES.Whenanetworkinterfacechangeeventhappens,allhookslistedaboveapplyandCahnadrchecksthecategoryofthenewinterface(bridge/wan/lan).Dependingonthetypeofinterface,itgetsdifferentdatathatiswrittenintheemalware´sstorage:
• Ethernet:MAC-addressandmaximumframesize • Wireless(802.11)AccessPointMAC-addressandauthenticationstate
Usermodepayloads GollumApp Thispayload(namedafterthefamouscharacterfromTheHobbit)isthemainusermodepayload,orchestratingactivitiesofothermodulesandhavingaconstantinteractionwiththekernelmodeCahnadrorchestrator.
Initiallyitisinjectedintoservices.exeasaseparateusermodethread:firstitallocatesthememory,thenwritesthemoduleandcreatesthethread.Afterthat,itcallsCsrCreateRemoteThreadinthecontextofthecsrss.exeforcreatingthenewthreadinservices.exe,whichistypicalforcreatingnewusermodethreadsfromring0.Thisisdoneinthiswaybecausemalwareworksdirectlywithsystemservices.
Thefollowingsummarizesitsfunctionality:
● Collectsnetwork-relatedinformation:routingtables,configuration,informationaboutproxy-serversandAutoConfigUrlsettings ● Collectnotificationsaboutallchangesintheroutingtableand/orchanginginterfaceIP-address. ● HandlesIOrequestsfortheencryptedfilesystem ● ContainsvariouscommandprocessorforcommunicationwithCNC ● CollectsallpasswordssavedinMozillaandIE ● Canworkwiththeclipboard ● Canlogallpressedkeys ● Collectsinformationaboutharddiskpartitions ● CollectsinformationaboutUSBdevicesandsendsnotificationswhennewdeviceisconnected. ● CanrunnewprocesswithSYSTEMprivilegesasachildofsmss.exe ● InjectsmaliciousmoduleSsCbintospecifiedprocess
SsCB Thismoduleprovidesthefollowingfeatures:
• Makesscreenshotsofaspecifiedwindow,orthewholedesktop • Stealsdatafromclipboard
• Collectsinformationaboutopenedwindows:title,size,position • CancloseanywindowbysendingWM_CLOSEmessage • ShowsspecifiedwindowbycallingShowWindow • Collectsinformationaboutactivedesktop,activewindow,nameofaprocessthatcreatedthis
window,titleofawindow,keyboardlayout
ffproxy CollectsinformationrelatedtoproxysettingsforallMozillaprofiles.
• Frompref.js:CollectsHTTPandSSLproxies,autoconfig_url(containslocalorremoteURLtoProxyAutoConfigurationfile,forinstance,whenproxysettingsaremanagedremotely)
• Fromsignons*files:retrievesdomain,portandusernamewithpasswords,ifavailable • signons.sqlite for3.5-32.0versions • signons3.txt for3.0-3.5versions • signons2.txt from1.5.0.10and2.0.0.2to3.0versions • signons.txt forlowerversions
NeedleWatch ThiscomponentisinjectedinalmostallprocessesusingthecoupleGollumAppandCahnadr.Itspiesonthecontentofthebufferspassedtothefollowingfunctions:
• Functionsthatdrawtext • gdi32!ExtTextOutW • gdi32!ExtTextOutA • gdi32!TextOutA • gdi32!TextOutW
• FunctionsthatwritestoConsole • kernel32!WriteConsoleA • kernel32!WriteConsoleW
• FunctionusedforrenderingunicodetextbyUniscribelibrary • usp10!ScriptShape
• FunctionusedforrenderingtextbyDirectWrite • dwrite!DWriteFontFace::GetGlyphIndicesW
• FunctionsusedforencryptionanddecryptionbySSP(SecuritySupportProvider) • secur32!EncryptMessage • secur32!DecryptMessage
• FunctionsfromNetscapePortableRuntime • nspr4!PR_GetUniqueIdentity • nspr4!PR_Read • nspr4!PR_Write
Theimplementationisbasedonhooks.Eachhookissetasoneoftheprivilegedinstructionsplacedatthebeginningofthefunction.Beforeplacinghooks,NeedleWatchregistersanexceptionhandlerbycallingAddVectoredExceptionHandler,sowhenthehookedfunctioniscalled,thefirstinstructionraisesanexceptionwhichishandledbyNeedleWatch.InthemalwareexceptionhandlerNeedleWatchcallstheoriginalfunctionandextractsallthesent/receiveddata.
Functionsfromthesecur32andnspr4modulesarethemostinterestingones.
EncryptMessageandDecryptMessagearefunctionsoftheSecuritySupportProviderInterface,notlinkedtoanySecuritySupportProviderinparticular,sohookingthesefunctionsallowsNeedleWatchtospyoneveryprovider:Digest,Kerberos,NTLM,Schannel,oranyotherone.
NeedleWatchcanalsoreadencryptedMozillatrafficasfollows:NetscapePortableRuntime(NSPR)providesaplatform-neutralAPIforsystemlevelandlibc-likefunctions.TheAPIisusedinMozillaclients,manyofRedHat'sandOracle'sserverapplications,andothersoftware.InI/ONSPRoperateswithfiledescriptorsthatcanbelayered.Whenread/writeoperationsoccur,NeedleWatchchecksthelayerofthefiledescriptorandifitisNSS(NetworkSecurityServices),SSLoranyotherSSL-basedlayer,NeedleWatchstoresthedatafromthebuffersentintheI/Ooperation.
Sfc2 DisablesWindowsfileprotection,makingsfc.exeutilitybelievethatthepatcheddisksystemlibrary(scesrvorspoolsv)isnot.
Thisispossiblebypatchingwcp.dllintheTrustedInstaller.exeprocess.Basedontheexportedwcp!RtlParseManifestMicrodomIntoCdffunction,Sfc2searchesfortheaddressofthenon-exportedwcp!GetRootElementfunctionandcallsitinordertoretrievethe_XMLWALK_ELEMENT_DECLstructure.Oncereturned,thisstructurewillbepatchedatthe0x34offsetwith0insteadof0x1E.
Inx64versionithooksZwCreateFileandZwOpenFileinthesamewayasdescribedintheNeedleWatchsection.Ifthehookhandlerfoundthatthefileobjectnamepassedtofunctionpointstoscesrv.dlllibraryinsystemorinwinsxsdirectory,malwarechangestheobjectnametoscesrv.dlllocatedinwinsxs\backupdirectory.So,whentheprocessistryingtocheckpatchedscesrv,hooksmakeitsothatanunpatchedbackupfileischeckedinstead.
AdditionalTechnicalDetails Afteranalyzingthemaincomponentsofthisframework,westillwanttohighlightsomespecifictechnicaldetailsandespeciallyinterestingrelatedartifactsinthissection.
Packer AllsamplesarepackedwithapreviouslyunknownpackerthattransformscustomPEsampleintobase-independentcode.Thisway,thepackerallowstocompilenewcomponentsofthisAPTasordinaryPEfilesand,afterunpacking,theycanusethemasabase-independentcode.
Thathelpstoembedthemintoothersamples,amongotheradvantages,suchaseasyprocessinjectionorinfectingsystemlibraries.Othertypicaladvantagessuchassmallercodeandhidingfunctionalityarealsoprovided.
Afterpackingtheresultingstructureisasfollows:
1. Header,0x400byteslong2. Unpackerstub3. Dataforunpacking
Theheader,initialbase-independentcodeandalldatathatisnecessaryforunpackingareshownbelow:
Someofthereservedparameterswillbeusedinternallybytheunpacker,othersarethereforfutureimprovements.Inlaterversionsofthispacker,moduleandsectionnamesareencryptedbyasimpleXOR-basedalgorithm.
Thevalueatoffset0x198containsthevirtualaddressofafirstsectiondescriptor.Eachsectionisrepresentedinthisstructurewithsixfields:sectionRVA,characteristics,realsize,packedsize.Ifrealsizeisnotequaltopackedsizeifmeansthatthissectionisencrypted.Thelasttwofieldsarereserved.Afterthedescriptor,thereisadatasection,followedbymoredescriptorswiththesamestructure.
ThepackingalgorithmisbasedontheAplibcompressionlibrary:
1. PackseachsectionwithAPlibcompression2. ReplacestheoriginalPEheaderwithanewonegeneratedbythepacker3. Addsastubwiththedecryptroutine
Base-independentcodedecryptroutineworksasfollows:
1. ObtainstheaddressesofGetProcAddress&LoadLibraryfunctions2. AllocatesmemoryfortheoriginalunpackedPE-file3. Unpacksallsectionsandwritesthemintheallocatedmemory4. SetsrightsforeachsectionbycallingVirtualProtect5. Restorestheoriginalimporttable6. Fixesrelocations;workswithexceptions:forx64imagesaddsexceptionhandlers
(RtlAddFunctionTable),forx32patchesntdll!RtlIsValidHandlersoitalwaysreturnstrue7. Wipesallheadersandreturnsexecutiontotheoriginalentrypoint
SlingDll.DllandMinislingmodules ForsomevictimswefoundthatattackersdidnotuseSlingshot.Instead,theyusedtwocomponentsnamedSlingDll.dllandMinisling. SlingDllistypicallylocatedinsystem32folderasastandaloneDLLwitharandomnameandloadedbysvchostviaCOMObjecthijacking(CLSID=6C19BE35-7500-11D1-AD94-00C04FD8FDFF).Itusesmodule_id0xFF000008forfixingSlingDll.dllexporttableinruntime.ThenitobtainsthepathtoaMZPEsamplefrommodule_id0xFF000008:
andfillstheexporttablewithlinkstotheexportedroutinesofthisfile(DLL-forwarding).Thisway,whenSlingDll.#1iscalled,esscli.#1willberun.Theexporttableinmemorylookslikethis:
SlingDll.dllalsousesasmarttrick.Itsimageinmemorylooksinitiallylikethis:
ThenitcopiesthewholeimagetoheapandUnmapViewOfFiletounloadSlingDll.Dllimage.Afterthat,itallocatesnewmemorybycallingVirtualAllocwiththesamestartaddressandsizethattheunloadedimagehad.Finally,malwarecopiesalldatafromheapbacktotheallocatedmemory,resultinginthefollowing:
AtthatmomenttheimageisunloadedbutkeepsworkingbecauseImageBaseisthesame.
ThelastthingthatSlingDll.dlldoesisruntheMinislingmodule.
Minislingusesaglobalmutex(Global\{6D29520B-F138-442e-B29F-A4E7140F33DE})toensureitisrunonlyonce.Itchecksifoneofthefollowingdriversisloadedintomemory:DepFrzLo.sys,DeepFrz.sys,DfDiskLo.sys;andifnoneisfounditcheckshowmanytimestheoperatingsystemwasrebootedbeforecorrectlyshuttingdown.ThisisdonebycomparingEventRecordIDfromETW-logs:malwaregetsthisvaluebysendinganXML-requestswithEventID=12andProvider.Name=Microsoft-Windows-Kernel-Generalinordertoobtainthelastreboottime,andwithEventID=41andProvider.Name=Microsoft-Windows-Kernel-Powertoobtainthelastunsuccessfulattempttoturnthemachineoff.
Whenthelimitofrebootsisreached,Minislingdeletesitself.Incaseswhenthecomputerwassuccessfullyrebooted,thecounterissetto0.Ifoneofthedriverslistedaboveisloadedorifthecounterlimitisnotreached,Minislingstartsfindingandexecutingloadersinthesamesequenceaspreviouslydescribed.
InfectedMikrotikDevice-chmhlpr.dll MikrotikisaLatviannetworkhardwareprovider.Formanagingtheirrouters,thiscompanyprovidestocustomerswithsoftwarecalledWinBoxthatdownloadsanumberofDLLsfromtherouter’sfilesystemandloadsthemdirectlyintothecomputermemory.Thisisitsnormalbehaviorbydesign.
Alibrarycalledip4.dllwasaddedontotherouterbytheattacker.Afteritwasadded,theWinboxsoftwarestartedtodownloadandrunit–wearenotsurewhy.
Duringourresearch,wefoundseveralvictimswhoseMikrotikrouterswerehacked,resultinginitreturningasuspiciousip4.dllfilewiththeinternalnamechmhlpr.dll.Indeed,thisDLLisaTrojan-DownloaderrelatedtoSlingshot.
ThatmakesusbelievethatSlingshotisabletotargetvictimsbydirectlyinfectingMikrotikroutersinordertoabusethismechanismusedbyWinBox.Wedonotknowhowtheserouterswerecompromised,howeverWikileaks´Vault7describestheuseoftheChimayRedexploittocompromisesuchdevices.TheexploitisnowavailableonGitHub.
Mikrotik´sofficialforumdeclaresthatthisexploitonlyworksuntilRouterOSv.6.38.4,howeverthisparticularvictimwasrunningversion6.38.5ofthefirmware,makingitunclearwhetherthisversionisstillvulnerableorifattackersusedadifferentone.WecontactedMikrotikandreportedthisattackprocedure.AccordingtoMikrotik,latestversionsofWinBoxnolongerdownloadtheipv4.dllfilefromtherouter,closingtheattackvector.
Thefollowingtablesummarizesmaliciousipv4.dllfilesabusingthismethod:
MD5 Size Filelocation
042CC382ACB5B2B70C78BAA77BB7C5F9 43520 %AppData%\Roaming\mikrotik\winbox\5.20-3610090039\ipv4.dll
AFAFF3310D8C094774DA6BA856C1A30E 43520 %AppData%\Roaming\Mikrotik\Winbox\5.20-3610090039\ipv4.dll
01C85EE057B6B529891C0A4275A642DA 43520 %AppData%\Roaming\Mikrotik\Winbox\6.33.1-1338332867\ipv4.dll
87A28A99697452A37FC229B3AA3AFE97 43520 %AppData%\Roaming\mikrotik\winbox\6.38.5-3172206015\ipv4.dll
chmhlpr.dlldownloadsamaliciouspackedMZPEtoexecute.Thislibraryhasfourhardcodedparameters:
• IPfordownloadingthepayload.Inthesamplethatwefound,thepayloadwaslocatedinthesamecompromisedMikrotikrouter(192.168.88.1).
• Porttoconnectto(4443inoursample). • Numberofconnectionattempts(3inoursample). • Delaybetweenattempts,inseconds(90secondsinoursample).
IfnoIPishardcoded,itwaitsforanincomingconnectiononthespecifiedport.
Onceitgetsconnectionitsendsthemagicvalue0x43237FB2andwaitsforthepackedmodule.Itchecksforaconstantat0x84offset,lookingfor0xDEADFOODinordertounpackandloadthiscode.Thenitsharesthesocketoftheestablishedconnectiontothenewmoduleandrunsit.
Thedownloadercanalsouseaproxyinformationdetailedin:*UserSID*\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyServer
Itsearchesforproxycredentialsin:
• Windowsprotectedstorage,whereItemNameparametercontainsproxydomain • CredentialsfromIEasdocumentedhere
KPWS ThereisasecondTrojan-Downloadercalled‘kpws’designedtodownloadanotherSlingshotcomponentandrunit.Unlikechmhlpr,itcan´tconnectoverproxies,can’tlistenforconnection,parametersaresetincmdline(embeddedinpackedMZPE)anditactivelyuseslogging.
Themaindifference,however,wouldbethemagicconstantsentasfirstpacket,setto0xC0FFEE43.ThistoolcontainsareferencetoSmeagol(Gollum’soriginalnameinTheLordoftheRings)whichactuallyreferstoGollumApp.
Additional downloaders ‘Rc’downloader Thiscomponentnamed‘rc’hasthesameinputparametersaschmhelp.dllandthesameoutputaskpws.Itprovidesthefollowingfunctionality:
• Resolvesenvironmentvariables.
• Sendsinfoaboutfilesindirectory:path,size,datemodified. • Writefiles,sendsfiles. • Sendsinfoaboutrunprocesses:PID,PPID,creationtime,nameoftheexecutablefileforthe
process,accountnamewithdomain,isprocessrununderWow64. • TerminatesprocessbyPID. • ImpersonatesuserbyloginandpasswordreceivedfromserverorbyprocessPID. • Revertstoselfafterimpersonation. • Createsprocess.Ifimpersonationwassuccessfulthancreationtakeplaceonbehalfof
impersonateduser. • Communicateswithcreatedprocess. • Sendsnameofthelocalcomputer,Windowsversion,buildnumber,installedservicepack. • Sendsusername. • Migratestoanotherprocess:infectsprocessbyPIDwithitselfinmemory.Socketconnectedto
serverispassedtoo. • Migratestoanotherprocess:pathtoprocesstobecreatedisreceivedfromserver.Injectisonly
inmemory.Socketconnectedtoserverispassedtoo.Wheninjected,malwaredownloadsandrunsnextSlingshotcomponent.
• Downloadsandconfiguresnewmodule,thenrunsitinnewthreadincurrentprocess.Allloggingofnewmodulewillbesendtoserver.
Theconfigurationofanewmodulecanbeonlydonethroughcommandline(embeddedintheheaderofthepackedcomponent)andconsistsofreceivingitfromtheC2server,parsingitandinsertingitintothedownloadedsample.
Thisseemsastrangebehavior,asthereisnoneedtodoallthisonthevictimside.
Interestingly,‘rc’logsinsomevictimsshowedconnectionstothe2869/1900/5431ports,linkedtovulnerabilitiesinpreviousUPnPprotocols.Thismightbeanotheronecluethatattackersusedvulnerableroutersasinfectionvector.
Sporkdownloader Thisisthelastdownloaderwehavefound,quitedifferentfromtheonesdescribedabove:
Notasinterestingasitsmainduty(downloadsandrunapayload)isitsimplementation.Thismoduleintroducesaruleenginewithembeddedserializedrules.ThisisintendedtofindsomePersonalSecurityProducts(PSPs)thatsuittherulesamongthestartedprocesses.Thisisusedtodecidetowhichprocesstheembeddedmaliciousshellcodewillbeinjected.
Rulesareserializedaccordingthefollowingscheme:
• Bytecount_rules,count_PSPs. • Ruleall_rules[count_rules](6or8bytesperruledependingonsporkversion-yellow). • Shortoffsets_to_PSP_names[count_PSPs](purple). • CharPSP_names[count_PSPs][](green).
Eachruleconsistsof6fields:
• ProcessnameofthePSPrepresentedasindexinoffsetsarray. • Arrayofnamesofprocessestoinjecttoasindexviewtoo(somebelowwillbedescribed). • MinversionofthePSP. • MaxversionofthePSP. • Flags:forexample,x32/x64. • Typeusedasresultwhenrulewasfound.
Sporkenumeratesallthestartedprocesses,checkingeachofthemwitheachrule.Ifanyprocessmatchesatleastoneofthem,itdecideswhethertoinjectcodeintoitdependingonthetypeofthematchedrule.Typecanbeanyofthefollowingvalues:
• Type0:default • Type1:error • Type2:injectintomatchedPSP • Type3:injectintolsass.exe • Type4:injectintowinlogon.exe • Type5:injectintosvchost.exe • Type6:injectintoprocessspecifiedinsecondfieldofmatchedrule
Ifnoprocessmatchesanyrules,thenthedefaultprocess‘svchost.exe’isusedforinjection.
Thematchingprocesswitharulecanbesummarizedasfollows:
• ProcessnameisequaltothePSPnameinrule • VersionofthePSPisinsidetheboundsspecifiedintherule • Processsuitsallflagsthataresetintherule
TheversionofPSPisdeterminedbysequencecallstoGetFileVersionInfoandVerQueryValuetogetdwProductVersionMSfield,whichcontainsthenumberoftheproductthisfile(PSP)wasdistributed.
ThefollowingtablesummarizesthefoundPSPwiththeprocesstoinject:
foundPSPname versions bitness processtoinject
avfwsvc.exe 00-ff x32 avguard.exe
avfwsvc.exe 00-ff x64 inssda64.exe
avgtray.exe 00-ff x32 avgtray.exe
avgtray.exe 00-ff x64 avgsrmaa.exe
avp.exe 01-07 x32-x64 winlogon.exe
avp.exe 08-0c x32 avp.exe
avp.exe 08-0c x64 lsass.exe
avp.exe 0d-0d x32-x64 lsass.exe
avastui.exe 00-ff x32 avastui.exe
avastui.exe 00-ff x64 winlogon.exe
avgnt.exe 00-ff x32 avguard.exe
avgnt.exe 00-ff x64 inssda64.exe/avshadow.exe
avgui.exe 00-ff x32-x64 winlogon.exe
bdagent.exe 00-ff x32-x64 bdagent.exe
cfp.exe 00-ff x32-x64 cfp.exe
casc.exe 07-08 x32-x64 svchost.exe
casc.exe 05-06 x32-x64 error
defenderdaemon.exe 00-ff x32-x64 error
egui.exe 00-ff x32-x64 default-svchost.exe
fsdfwd.exe 00-ff x32-x64 default-svchost.exe
mcagent.exe 00-ff x32-x64 winlogon.exe
rstray.exe 00-ff x32 rstray.exe
rstray.exe 00-ff x64 error
rtvscan.exe 00-ff x32-x64 default-svchost.exe
tmproxy.exe 00-ff x32-x64 tmproxy.exe
umxcfg.exe 07-08 x32-x64 default-svchost.exe
umxcfg.exe 05-06 x32-x64 error
zlclient.exe 00-ff x32-x64 error
Insteadofinjectingthemaliciouscodeinalreadystartedprocesses,sporkcreatesanewprocessoftheselectedimage.Processiscreatedwiththe:flagshide,createnowindow,defaultinsteadofloadingcursorandsuspended.Thenitcreatesanewsection,fillsitwithmaliciousshellcodedependingonthecreatedx32orx64processandpatchestheEntryPointsothatitcallstheshellcode.ThelaststepiscallingResumeThreadtorunit.
ThenewshellcodeloadsitsneededlibrariesbyparsingPEB,connectstoitsC2(specifiedincmd-line),sendstoitconstant0xC0FFEE44or0xC0FFEE43dependsonprocessbitness,downloadsthemalwarefromthereceivedanswer,passestoitsocketusedfortheconnectionandruns.Unlikeallthepreviouslydescribeddownloaders,itdoesn’tcheckfor0xDEADFOODat0x84offset.
Victims Usingourtelemetry,wewereabletofindalmostonehundredvictims,mostofthembasedintheMiddleEastandAfrica.Thefollowingchartshowsthepercentageofvictimspercountry:
Conclusions ThediscoveryofSlingshotrevealsanothercomplexecosystemwheremultiplecomponentsworktogetherinordertoprovideaveryflexibleandwell-oiledcyber-espionageplatform.Themalwareishighlyadvanced,solvingallsortofproblemsfromatechnicalperspectiveandofteninaveryelegantway,combiningolderandnewercomponentsinathoroughlythought-through,long-termoperation,somethingtoexpectfromatop-notchwell-resourcedactor.Allthisframeworkisdesignedforflexibility,reliabilityandtoavoiddetection,whichexplainswhythesecomponentswerenotfoundformorethansixyears. Thislong-termcampaignseemedtobefocusedonAfricaandtheMiddle-Eastregion,butobviouslyourtelemetryonlyofferspartialvisibilityandthiscouldbejustasubset. Intermsofattribution,wehavenotbeenabletofindanydefinitivelinkstoanypreviouslyknownAPTs.SomeofthetechniquesusedbySlingshot,suchastheexploitationoflegitimate,yetvulnerabledrivershasbeenseenbeforeinothermalware,suchasTurla,Equation’sGrayfishplatformandWhiteLambert.MostofthedebugmessagesfoundthroughouttheplatformarewritteninperfectEnglish.ThereferencestoTolkien’sLordoftheRings(Gollum,Smeagol)couldsuggesttheauthorsarefansofTolkien’swork. OneinterestingpointisthepossibilityofabusingMikrotikdevices(andmaybeothernetworkhardwareproviders)asinitialinfectionvectorforsomevictims.Wecan´texcludeotherspreadingmethodsforthiscampaign,giventheversatilityofthisactor.
AppendixI-Scripts
Stringdecryption Insteadofstoringstringsinrawview,somecomponentsstorestheminencryptedviewanddecryptswhenit’sneeded.Thisfunctionimplementsdecryptionwhichcanbeusedforfurtheranalysis. def get_name(name): key = bytearray(b'\xE0\x80\xC5\xAF\xB5\xD7\xC4\xA1\xBD\xBA\xE4\xDA\x96\xBF\x9A\x8A\x9A\xA8\xBE\xD2\x85\x84\xC4\xB0\xAA\xEA\xD8\xAC\xC4\xF3\xAF\x00') size = len(name) ind = ((((0xFFFFFFFF84210843 * size) // 2 ** 32) + size) % (2 ** 32) // 16) ind = ind + ind // 2 ** 31 ind = size - ind * 31 for i in range(len(name)): key_i = key[ind] name[i] ^= key_i ind += 1 tmp = ( 0x8421085 * ind ) // 2**32 ind -= (((ind - tmp) // 2 + tmp) // 16) * 0x1F return name
Sporkrulesviewer Asmentionedabove,sporkcontainsserializedrulesusedbyrulesenginetocheckwhichPSPisinstalled.Thisscriptprintsrulesinreadableviewfortwotypesofdatabases(6or8bytesperrule): import argparse import struct def get_byte(data, offset): byte_range = data[offset : offset + 1] return struct.unpack('<B', byte_range)[0] def get_short(data, offset): byte_range = data[offset : offset + 2] return struct.unpack('<H', byte_range)[0]
class rule: rule_size = 8 def __init__(self, raw_rule): self.index_process_name = get_byte(raw_rule, 0) self.index_process_to_inject = [get_byte(raw_rule, 1)] offset = 0 if rule_size == 8: offset = 2 if get_byte(raw_rule, 2) != 0:
self.index_process_to_inject.append(get_byte(raw_rule, 2)) if get_byte(raw_rule, 3) != 0: self.index_process_to_inject.append(get_byte(raw_rule, 3))
self.min_version = get_byte(raw_rule, 2 + offset) self.max_version = get_byte(raw_rule, 3 + offset) self.flags = get_byte(raw_rule, 4 + offset) self.type_of_action = get_byte(raw_rule, 5 + offset)
class rule_db: def __init__(self, input_file): data = bytearray(open(input_file, "rb").read()) self.rules_count = get_byte(data, 0) self.strings_count = get_byte(data, 1) self.rules = [] for i in xrange(self.rules_count): self.rules.append(rule(data[2 + i * rule.rule_size : 2 + i * rule.rule_size + rule.rule_size])) self.offsets = [] self.strings = [] for i in xrange(self.strings_count): self.offsets.append(get_short(data, 2 + self.rules_count * rule.rule_size + i * 2)) curr = start = self.offsets[i] while data[curr] != 0: curr += 1 self.strings.append(str(data[start : curr])) def print_info(self): for rule in self.rules: process_to_inject = 'svchost.exe' if rule.type_of_action == 1: process_to_inject = 'error' elif rule.type_of_action == 2: process_to_inject = self.strings[rule.index_process_name] elif rule.type_of_action == 3: process_to_inject = 'lsass.exe' elif rule.type_of_action == 4: process_to_inject = 'winlogon.exe' elif rule.type_of_action == 6: process_to_inject = '/'.join([self.strings[i] for i in rule.index_process_to_inject]) bitness = 'x32-x64' if rule.flags == 1: bitness = 'x32' elif rule.flags == 2: bitness = 'x64'
print ('PSP: %s\tversion: %02x-%02x\tbitness: %s\ttarget: %s' % (self.strings[rule.index_process_name], rule.min_version, rule.max_version, bitness, process_to_inject) )
parser = argparse.ArgumentParser() parser.add_argument('input_file') args = parser.parse_args()
for rule_size in [8, 6]: try: rule.rule_size = rule_size db = rule_db(args.input_file) db.print_info() break except: continue
AppendixII-Indicatorsofcompromise
MD5 042cc382acb5b2b70c78baa77bb7c5f9 11ccc2c5811c80f2a796817d9ccbe34b 142970f7e10e3a49e583b2f557dcbe79 64f705e55545a371e0f5e599cfbae5e9 6637dbcc6059a1e2e45956d98a3ea590 706269c041d94c4501b78c128f1c0e70 7fb82333aa08f4bfbbfa515e7e93bad4 87a28a99697452a37fc229b3aa3afe97 afaff3310d8c094774da6ba856c1a30e b7a2525e05769540f48733d5673a77fa c638169aaa777d4f6eae43205a39e274 db71aed3b9ffbbfa4c49db036520ceeb f4944c5d47907ce93819aed8c4f76bcc MoreindicatorsareavailabletoKasperskyLabprivatereportsubscribers.Pleasecontactintelreports@kaspersky.com