Security researchers at Kaspersky Lab discovered an advanced malware named Slingshot which can infect routers of PC users through multi-level attacks.
A sophisticated APT hacking group has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques. Hackers exploited unknown vulnerabilities in Mikrotik routers as their first-stage infection vector. The virus hacks the router and then dumps a copy of itself to sysadmin’s machine getting root access. Thus, the dangerous code is able to spread much faster by infecting all devices in a compromised local network. The Slingshot malware replaces scesrv.dll dynamic link libraries (DLL) file with a malicious one, which loads directly into PC’s memory. In some cases, the initial loader uses Winbox Loader software tool in order to connect to a remote C&C server and to download the final Slingshot payload into victim’s computer. Slingshot also uses other infiltration methods – like zero-day vulnerabilities – to attack targets.
Slingshot virus includes two modules—Cahnadr (a kernel mode module) and GollumApp (a user mode module), designed for information gathering and data exfiltration. Experts said the malware was used to log desktop activity, capture screenshots, steal data from the clipboard and passwords saved in web browsers, collect information about open windows, keyboard data, and network data.
Cahnadr module takes care of anti-debugging, rootkit and sniffing functionality, injecting other modules and network communications. The malware carefully monitors its own security and smooth operation.
Security experts have called this virus a “masterpiece” of cybercrime. Harmful code has successfully existed in various modifications since 2012, and so far it managed to stay invisible.
Analysts believe that such an elegant malicious program is unlikely to have been created by ordinary cyber criminals. Most likely Slingshot was created by one of the state security agencies or intelligence agencies. Kaspersky Lab experts said that the virus could be used to counter terrorism by the secret services of the United States, Canada, United Kingdom, Australia and New Zealand. The Slingshot malware victims include individuals and some government organizations across various countries including Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey and Sudan.