Highly Complex Slingshot Malware Attacks through Routers

In a major breakthrough, security researchers from Kaspersky Lab have discovered a highly sophisticated and complex malware threat that has managed to remain hidden since at least 2012. The researchers have revealed over the weekend the so-called Slingshot advanced persistent threat (APT) had successfully targeted almost 100 victims in the Middle East and Africa since at least last six years. According to the researchers, Slingshot uses an array of tools and techniques to carry out its attacks. It's likely the creation of a government surveillance agency. They were unable to confirm the exact methodology used by Slingshot to infect all of its targets, however in several cases the malware's operators targeted routers and used them as a springboard to attack computers within single network.

Revelation from Kaspersky Lab

As reported by Kaspersky Lab, the initial loader replaces the victim's legitimate Windows library 'scesrv.dll' with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others. While for most victims the infection vector for Slingshot remains unknown, security researchers were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router. The security firm believes it’s likely Slingshot used other methods such as zero-day vulnerabilities to attack targets.
After infection Slingshot downloads a variety of additional modules onto the victim device. The two most powerful modules, GollumApp and Cahnadr, are connected, which can mutually compliment each other in gathering data.

Targeted towards Espionage

The malware can effectively log desktop activity, steal whatever it wants, including data from the clipboard, keyboard strokes/data, network traffic/data, passwords and screenshots, among other items. It's not certain how Slingshot gets into a system besides taking advantage of the router management software, but Kaspersky pointed to several instances. The malware appears targeted towards espionage. It uses an encrypted virtual file system normally housed in an unused part of the hard drive to remain undetected, one of several hideous and suspicious techniques. Kaspersky has labelled Slingshot one of the most advanced attack platforms ever uncovered, rivalling Project Sauron and Regin in complexity.
"The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber espionage platform. Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable and to the best of our knowledge, unique," Kaspersky Lab wrote.

The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor. The firm did not identify the developers of the malware, noting only that most of the platform's debug messages were written in perfect English. It rivals the Regin malware GCHQ used to spy on Belgian carrier Belgacom. It could be one or more countries keeping watch on nations with significant terrorism issues. Slingshot should be fixed as of recent MikroTik router firmware updates. The concern here is that other router makers might be affected. If they are, there's a possibility that Slingshot has a far wider reach and is still whacking sensitive data. While Kaspersky’s security experts delve more, let’s wait for some good news to make us feel safer in the days to come.