A highly sophisticated threat capable of cyber espionage via targeting routers has been uncovered by researchers at Kaspersky Lab. Dubbed Slingshot, the malware has been used in malicious campaigns on victims in the Middle East and Africa for several years. Shortly said, Slingshot is a complex APT (Advanced Persistent Threat), with “one of the most complex frameworks” as explained by malware analyst Alexey Shulmin.
Slingshot APT Technical Details
Kaspersky came across the malware when they found a suspiciously looking keylogger. They created a behavioral detection signature to check whether the code is present anywhere else. This activity triggered detection of a suspicious file within the system folder known as scesrv.dll. Later it turned out that the scesrv.dll module contained malicious code. “Since this library is loaded by ‘services.exe,’ a process that has system privileges, the poisoned library gained the same rights. The researchers realized that a highly advanced intruder had found its way into the very core of the computer,” Kaspersky said in their press statement.
The researchers revealed their findings during its Security Analyst Summit where they said that they haven’t previously seen such an unusual attack vector. The attackers were using compromised MikroTik routers to targets victims by placing a malicious DLL inside it. The DLL is in fact a downloader for various malicious components, the researchers said.
More specifically, “when an administrator logs in to configure the router, the router’s management software downloads and runs the malicious module on the administrator’s computer. The method used to hack the routers in the first place remains unknown,” Kaspersky Lab researchers revealed.
What happens after the router is infected? The next step includes Slingshot downloading more malware modules. Two of them deserve more attention due to their quite sophisticated nature – Cahnadr and GollumApp. The two components are connected to one another and can support each other in collecting information procedures.
GollumApp in particular appears to be the most complex module of Slingshot, found to encompass 1,500 user-code functions as well as the controls for persistence, file system control and command and control servers. The other module, Cahnadr, is a kernel-mode program that servers to execute malicious code without crashing the entire file system, Kaspersky said.
Slingshot APT Capabilities
The malware is capable of carrying out silent cyber-espionage campaigns where it stealthily gathers data, hides traffic using data packets that can be intercepted without being traced.
A summary of its capabilities looks like that:
Slingshot’s main purpose seems to be cyber-espionage. Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more, although its kernel access means it can steal whatever it wants.
Who is targeted? Apparently, victims of this malware are most likely particular individuals. However, government organizations may also be targeted. In terms of the routers that are affected by Slingshot – even though MikroTik routers were impacted in the campaigns analyzed by the researchers, other routers can be targeted as well.
The sophisticated structure of the malware also speaks volumes about who is behind the campaigns – most likely state-sponsored threat actors.
MikroTik users are urged to upgrade to the latest firmware to avoid an infection with Slingshot.