SYMBOLCOMMON_NAMEaka. SYNONYMS
win.slingshot (Back to overview)

Slingshot

VTCollection    

- 2012 first sighted
- Attack vector via compromised Mikrotik routers where victims get infection when they connect to Mikrotik router admin software - Winbox
- 2018 when discovered by Kaspersky Team

Infection Vector
- Infected Mikrotik Router > Malicious DLL (IP4.dll) in Router > User connect via winbox > Malicious DLL downloaded on computer

References
2022-01-11ESET ResearchMichal Poslušný
Signed kernel drivers – Unguarded gateway to Windows’ core
InvisiMole LoJax RobinHood Slingshot
2018-03-20CyberScoopChris Bing, Patrick Howell O'Neill
Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation
Slingshot
2018-03-09Kaspersky LabsAlexey Shulmin, Andrey Dolgushev, Sergey Yunakovsky, Vasily Berdnikov
The Slingshot APT FAQ
Slingshot Slingshot
2018-03-09Kaspersky LabsAlexey Shulmin, Andrey Dolgushev, Sergey Yunakovsky, Vasily Berdnikov
The Slingshot APT
Slingshot
Yara Rules
[TLP:WHITE] win_slingshot_auto (20230808 | Detects win.slingshot.)
rule win_slingshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.slingshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 33db 53 ff15???????? 8bf0 3bf3 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   3bf3                 | cmp                 esi, ebx

        $sequence_1 = { 3bcb 7512 ff7708 ff37 }
            // n = 4, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   7512                 | jne                 0x14
            //   ff7708               | push                dword ptr [edi + 8]
            //   ff37                 | push                dword ptr [edi]

        $sequence_2 = { 48 8bf0 66895804 66897806 85ed }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   8bf0                 | mov                 esi, eax
            //   66895804             | mov                 word ptr [eax + 4], bx
            //   66897806             | mov                 word ptr [eax + 6], di
            //   85ed                 | test                ebp, ebp

        $sequence_3 = { e8???????? e8???????? 8945d8 8955dc 3bc3 7d09 52 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   3bc3                 | cmp                 eax, ebx
            //   7d09                 | jge                 0xb
            //   52                   | push                edx

        $sequence_4 = { e8???????? ff7004 8d742420 ff30 e8???????? 395c241c 7523 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ff7004               | push                dword ptr [eax + 4]
            //   8d742420             | lea                 esi, [esp + 0x20]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   395c241c             | cmp                 dword ptr [esp + 0x1c], ebx
            //   7523                 | jne                 0x25

        $sequence_5 = { 8be8 49 3bc6 750f baec040000 b90e000780 }
            // n = 6, score = 100
            //   8be8                 | mov                 ebp, eax
            //   49                   | dec                 ecx
            //   3bc6                 | cmp                 eax, esi
            //   750f                 | jne                 0x11
            //   baec040000           | mov                 edx, 0x4ec
            //   b90e000780           | mov                 ecx, 0x8007000e

        $sequence_6 = { e8???????? 59 8d75a4 e8???????? 8d7594 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d75a4               | lea                 esi, [ebp - 0x5c]
            //   e8????????           |                     
            //   8d7594               | lea                 esi, [ebp - 0x6c]

        $sequence_7 = { 3bcb 7442 395dfc 7414 }
            // n = 4, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   7442                 | je                  0x44
            //   395dfc               | cmp                 dword ptr [ebp - 4], ebx
            //   7414                 | je                  0x16

        $sequence_8 = { 3bcb 7504 6a08 eb7a }
            // n = 4, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   7504                 | jne                 6
            //   6a08                 | push                8
            //   eb7a                 | jmp                 0x7c

        $sequence_9 = { 3919 740a 48 83c102 48 83e801 75f0 }
            // n = 7, score = 100
            //   3919                 | cmp                 dword ptr [ecx], ebx
            //   740a                 | je                  0xc
            //   48                   | dec                 eax
            //   83c102               | add                 ecx, 2
            //   48                   | dec                 eax
            //   83e801               | sub                 eax, 1
            //   75f0                 | jne                 0xfffffff2

        $sequence_10 = { 833d????????00 7546 b918000000 e8???????? 48 }
            // n = 5, score = 100
            //   833d????????00       |                     
            //   7546                 | jne                 0x48
            //   b918000000           | mov                 ecx, 0x18
            //   e8????????           |                     
            //   48                   | dec                 eax

        $sequence_11 = { 0f848a050000 45 33e4 0fb74c2448 83e961 }
            // n = 5, score = 100
            //   0f848a050000         | je                  0x590
            //   45                   | inc                 ebp
            //   33e4                 | xor                 esp, esp
            //   0fb74c2448           | movzx               ecx, word ptr [esp + 0x48]
            //   83e961               | sub                 ecx, 0x61

        $sequence_12 = { 3bcb 7552 dd45f0 dd4720 }
            // n = 4, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   7552                 | jne                 0x54
            //   dd45f0               | fld                 qword ptr [ebp - 0x10]
            //   dd4720               | fld                 qword ptr [edi + 0x20]

        $sequence_13 = { 8bce 49 3bfe 741a }
            // n = 4, score = 100
            //   8bce                 | mov                 ecx, esi
            //   49                   | dec                 ecx
            //   3bfe                 | cmp                 edi, esi
            //   741a                 | je                  0x1c

        $sequence_14 = { 59 c20400 8b4608 83f8ff }
            // n = 4, score = 100
            //   59                   | pop                 ecx
            //   c20400               | ret                 4
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   83f8ff               | cmp                 eax, -1

        $sequence_15 = { 3bcb 7461 8b01 83f807 }
            // n = 4, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   7461                 | je                  0x63
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   83f807               | cmp                 eax, 7

        $sequence_16 = { 3bcb 753c ff7708 eb28 }
            // n = 4, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   753c                 | jne                 0x3e
            //   ff7708               | push                dword ptr [edi + 8]
            //   eb28                 | jmp                 0x2a

        $sequence_17 = { eb29 48 8d4c2448 e8???????? }
            // n = 4, score = 100
            //   eb29                 | jmp                 0x2b
            //   48                   | dec                 eax
            //   8d4c2448             | lea                 ecx, [esp + 0x48]
            //   e8????????           |                     

        $sequence_18 = { e9???????? 8d85d0fdffff 50 ff15???????? }
            // n = 4, score = 100
            //   e9????????           |                     
            //   8d85d0fdffff         | lea                 eax, [ebp - 0x230]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_19 = { 894c9a08 8b5df8 03cb 8b5d0c 23c8 }
            // n = 5, score = 100
            //   894c9a08             | mov                 dword ptr [edx + ebx*4 + 8], ecx
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   03cb                 | add                 ecx, ebx
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   23c8                 | and                 ecx, eax

        $sequence_20 = { ff7508 ffd7 85c0 7516 ff15???????? 6843458a04 }
            // n = 6, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   ff15????????         |                     
            //   6843458a04           | push                0x48a4543

        $sequence_21 = { 0d00000780 8906 e8???????? 48 8bd6 48 }
            // n = 6, score = 100
            //   0d00000780           | or                  eax, 0x80070000
            //   8906                 | mov                 dword ptr [esi], eax
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8bd6                 | mov                 edx, esi
            //   48                   | dec                 eax

        $sequence_22 = { 3bcb 743b 6afe 58 8901 }
            // n = 5, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   743b                 | je                  0x3d
            //   6afe                 | push                -2
            //   58                   | pop                 eax
            //   8901                 | mov                 dword ptr [ecx], eax

    condition:
        7 of them and filesize < 663552
}
Download all Yara Rules