Slingshot malware attacks PCs through routers

Newly discovered malware targets routers

Kaspersky uncovers malware attacking through routers

Clues in the text suggest the code was developed by English-speaking programmers, with the most likely source being a government intelligence agency.

"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation", said Kaspersky. Slingshot is apparently so sophisticated that Kaspersky has labeled it an advanced persistent threat (APT).

That is until now, as researchers from Kaspersky Lab dug up the malware, which they dubbed Slingshot, while analysing a suspected keylogger. In those cases, the victims unknowingly download a dynamic link library (DLL) from the router that was placed by the APT.

When running in kernel mode, Slingshot can give attackers complete control of the system without any limitations whatsoever. This is nearly impossible do to in updated operating systems, though Slingshot manages the feat by searching computers for signed vulnerable drivers, and then uses them to run its own malicious code.

GollumApp steals passwords from browsers and information about USB devices and network connections, hard disk patterns, desktop activity and clipboard data.

Several of the techniques employed by the cyber criminals behind Slingshot are unique, and researchers say it is highly effective at stealthy information gathering, hiding its traffic in marked data packets that it can intercept without trace from everyday communications. It employs techniques to bypasses security products, and it encrypts all strings - the individual command lines - in its modules.

"What makes Slingshot really risky is the numerous tricks its actors use to avoid detection".

Infected machines cropped up in the likes of Libya, Afghanistan, Jordan, the Congo, Sudan and Somalia, and appeared to target individuals on the whole. Almost all of these countries have been involved in recent years with Western governments on foreign counterterrorism efforts.

There is also a user module aspect to Slingshot. Code overlaps between past Equation Group-linked activity shows a relationship could exist, although the evidence is far from conclusive. It even shut down certain components when forensic tools were in use on the device. R. R. Tolkien's Lord of the Rings.

Cyber security specialists Kaspersky Labs has claimed to have discovered what it described as a highly-sophisticated cyberespionage campaign called Slingshot, which could have been active for six years.

The report continues: "The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor". "All this framework is designed for flexibility, reliability and to avoid detection, which explains why these components were not found for more than six years".

Latvia-based router manufacturer Mikrotik provides customers with a Windows-based management tool called WinBox that downloads and executes a DLL file stored on the router's file system.

The researchers note that owners of a MikroTik router and WinBox managing software should download the latest version of the program alongside updating the router itself to the latest version on its operating system.

Latest News