During a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks. The networks abused were designed for internet communications with ships at sea which span a greater geographical area at nearly global scale, while providing nearly no security for their downlinks.
Kaspersky Lab experts reveals that they’re achieving this using a trick known as satlink hijacking – a technique this Russian-speaking group has been using since 2007. It involves exploiting the vulnerability of asynchronous satellite internet connections to sniff traffic, distilling the IP addresses of satellite subscribers. All the attackers need then is to set up their servers with the same IPs, configure these addresses into their malware and, after a successful infection, wait for its call for C&C.What happens next: the satellite broadcasts the request from an infected machine over the whole area of its coverage. Of course, both attackers and law-abiding subscribers receive this request. But, unlike the attackers’ servers, subscriber systems are extremely unlikely to host any services on particular ports – and this traffic is simply dropped without acknowledgement, as this would increase the burden on the thin cellular upstream channel used in such asynchronous data links. After receiving the malware call, the C&C answers via regular fast landline with a spoofed acknowledgement, which appears to be coming from the same hapless satlink subscriber.