Slingshot malware attacks PCs through routers

Doris Richards
March 13, 2018

MALWARE HAS BEEN LURKING in routers undiscovered for six years yet stealthily managed to infect at least 100 computers across the globe.

Kaspersky researchers said the malware is likely state-sponsored with some text clues suggesting it originates from an English-speaking country and most likely was used for espionage purposes.

The researchers say that Slingshot's infection vector for most victims is unknown, but that in some cases the attackers gained access to and deployed the malware through routers manufactured by MikroTik, a Latvian company. As such, Slingshot looks like it may have been produced with the backing of a nation. As such, Slingshot looks like it may have been produced for the goal of espionage rather than money-making.

"The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor", the researchers noted in their report. Once Slingshot has access to the network, it replaces a library file with a malicious version that in turn downloads the necessary files to launch a two-pronged attack on the computer itself. So yeah, it's pretty damn smart. They can steal passwords, keyboard strokes, screenshots, network traffic and more.

One is a kernel mode module called Cahnadr that enables the attacker to gain complete access to the system, including deep access to storage and memory. It can disable the disk defragmentation feature in Windows OS to prevent the relocation of the data stored by Slingshot on the hard drive.

Infected machines cropped up in the likes of Libya, Afghanistan, Jordan, the Congo, Sudan and Somalia, and appeared to mainly target individuals.

Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like Kaspersky Threat Management and Defense solution (https://goo.gl/ea1ZqV). Kaspersky did not identify the malware's creators but said that debug messages were written in ideal English, suggesting developers spoke that language. Coincidence? We're not so sure. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.


According to Ars Technica, the sophistication of Slingshot rivals similarly advanced malware apps, including Regin, a backdoor that infected Belgian telco Belgacom and other targets for years, and Project Sauron, a separate malware that also remained hidden for years.

Kaspersky doesn't have any specifics of how Slingshot appeared on MikroTik routers, but it looks like the router's Winbox configuration utility was exploited to load dynamic link library files. And while the infected routers that have been identified will be fixed via software updates, there's no telling how many machines may have been affected.

The advanced, persistent threat also incorporates a number of techniques to help it evade detection: including encrypting all strings in its modules, calling system services directly in order to bypass security-product hooks, using a number of Anti-debugging techniques, and selecting which process to inject depending on the installed and running security solution processes, and more.

"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation".

LAGOS, Nigeria, March 12, 2018-Kaspersky Lab researchers have uncovered a sophisticated threat used for cyber-espionage in the Middle East and Africa from at least 2012 until February 2018.

Read about Slingshot in details in the researchers' blog post.

Users of Mikrotik routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.

Other reports by Iphone Fresh

Discuss This Article

FOLLOW OUR NEWSPAPER