Slingshot malware attacks PCs through routers

Tuesday, 13 Mar, 2018

The researchers at Kaspersky Labs have uncovered a malware, dubbed Slingshot, that has been able to hide for around six years.

This guesswork is given a little more credence given that Kaspersky's researchers noted that debug messages were written in flawless English. The malware, which researchers have called "Slingshot", attacks and infects victims through compromised routers and can run in kernel mode, giving it complete control over victim devices. As such, Slingshot looks like it may have been produced for the objective of espionage rather than money-making. It's a highly sophisticated cyber espionage tool that matches known platforms Project Sauron and Regin in complexity.

The report continues: "The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor".

The malware has been christened as Slingshot, which smartly exchanges the legitimate scesrv.dll file of the users with another a malicious one in the Windows library system.

It can bypass security measures, such as Driver Signature Enforcement, by loading signed vulnerable drivers and running its own code through those security holes.

Kaspersky Lab said Slingshot uses two "masterpieces" - a kernel mode module named Cahnadr, and GollumApp, a user mode module. The campaign's malware has likely collected "screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard and more", though Kaspersky notes that really, it could steal whatever it wanted, including credit card numbers, password hashes, and social security account numbers.

So far, the researchers say they have identified at least 100 victims, for the most part based in Kenya and Yemen, as well as Afghanistan, Libya, Democratic Republic of Congo, Jordan, Turkey, Iraq, Sudan, the United Arab Emirates, Mauritius, Somalia and Tanzania.

Kaspersky didn't speculate as to why machines in these nations were targeted, but the organisation noted that debug messages were written in flawless English.

Slingshot reached targets from a compromised software update for routers made by Latvian firm MikroTik. The malware then makes the jump from routers to connected PCs by transferring a malicious downloader file, which is then loaded into a computer's memory and executed, setting the infection into motion.

The advanced, persistent threat also incorporates a number of techniques to help it evade detection: including encrypting all strings in its modules, calling system services directly in order to bypass security-product hooks, using a number of Anti-debugging techniques, and selecting which process to inject depending on the installed and running security solution processes, and more.

Slingshot has an encrypted file system of its own.

"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation", said Kaspersky. According to Kaspersky, a cluster of activity from the Slingshot campaign "started in at least 2012", so it's been around for at least six years.

The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in ideal English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.