“Slingshot” router malware that went undetected for six years is one of the most advanced attacks ever seen
A new report from Kaspersky has revealed that a sophisticated spying campaign affecting MikroTik routers went undetected since 2012.
The campaign, known as Slingshot, works by using a “loader” on infected routers to install further malicious components on a victim’s computer, eventually giving hackers complete control over the system.
The Russian security firm says it is not clear how the MikroTik routers first became compromised, but that attackers “found a way” to add a malicious DLL (dynamic link library) “to an otherwise legitimate package of other DLLs”.
This malicious library file is used to infect the router administrator’s PC, before other “modules” – including a kernel mode module called Cahnadr and a user mode module called GollumApp – can take control of the PC and retrieve data, all without needing to use zero-day exploits.
“It collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard and more,” explains a Kaspersky FAQ page. “But with full access to the kernel part of the system, it can steal whatever it wants – credit card numbers, password hashes, social security account numbers – any type of data.”
Unlike other malware that accesses the kernel, Cahnadr does not cause a blue screen to appear when it executes code and Slingshot has other tricks up its sleeves to avoid detection, too.
“It can shut down its components when it detects signs that might indicate forensic research, explains a Kaspersky blog post about the campaign. Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive.”
Although the bulk of the report refers to MikroTik routers, Kaspersky’s researchers believe that they can’t rule out “other spreading methods” because of the versatility of the actors involved. More specifically, during their research, the team found a component called KPWS that was “another downloader for Slingshot components”.
In terms of its complexity, Kaspersky claims that Slingshot rivals espionage platforms Project Sauron, which went undetected for five years, and Regin. “Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation, explains the FAQ. Its infection vector is remarkable – and, to the best of our knowledge, unique.”
While Kaspersky identified malicious activity as far back as 2012, it only found around 100 victims of Slingshot in total, who were located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.
“Most of the victims appear to be targeted individuals rather than organizations, but there are some government organisations and institutions. Kenya and the Yemen account for most of the victims observed to date.”
Kaspersky reported Slingshot to MikroTik, which has protected its users from the exploit with a software update. Beyond this Kaspersky says, that “to protect your business against sophisticated targeted attacks, you need to implement a strategic approach,” and recommends installing its Threat Management and Defense platform.