APT hackers were stealthily implanting Slingshot malware for six years

by Olivia Morelli - - 2018-03-12

Slingshot malware remained hidden for almost six years

The illustration of Slingshot malware

Researchers from Kaspersky Lab have discovered a highly sophisticated and complex malware which is internally named as Slingshot. APT hackers exploited currently unknown vulnerabilities in routers manufactured by Latvian hardware provider Mikrotik^[1]. However, this cyber threat is active for almost more than six years since the experts have found its samples submitted as early as 2012.

Slingshot shares the features of spyware, and its primary purpose is to log the activity of the desktop, collect keyboard, USB and network data, take screenshots, and steal passwords from its victims^[2]. Researchers say that most of the infected computers were located in Yemen and Kenya.

However, some victims were found in Tanzania, Somalia, Afghanistan, Congo, Turkey, Libya, Jordan, Sudan and Iraq^[3]. Even though Slingshot mostly targeted individual people, experts state that unfortunately, multiple government institutions and organizations were affected as well.

Slingshot's peculiarities explained

Experts believe that the criminals might have used ChimayRed exploit which is now freely available on GitHub. This software is designed to compromise Mikrotik routers to help infiltrate various cyber threats, including Slingshot. Once the router is corrupted, malware replaces one of DLL (Dynamic Link Libraries) file with the fake one. Unfortunately, it has malicious code embedded.

Later, the malicious library is loaded with administrative rights. In other terms, the malware gets system privileges and is able to perform its bogus activity by loading GollumApp and Cahnadr modules for to start collecting information about its users^[4]. Researchers describe the latter module as a remarkable achievement since:

Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen <…>.

Developers of the malware are highly skilled and sponsored hackers

Slingshot is an explicitly sophisticated malware which has managed to be active since 2012. It is because its developers are well-skilled hackers who designed the software to protect itself against detection. The most common feature of its protection technique is that it was using an encrypted virtual file system which was located in an unused directory of the hard drive.

Even though the researchers to do not identify the country of the developers, it is evident that they spoke English fluently since debug messages were written in perfect English. However, they add the following:

Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation <…>.

The toolset used by the hackers are well-designed and expensive. Likewise, it indicates that APT is a group of professionals who might be funded by the state^[5].

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ Iain Thomson. Slingshot malware uses cunning plan to find a route to sysadmins. The Register. Sci/Tech News for the World.
^ Lindsey O'Donnell. Cyber espionage campaign 'Slingshot' targets victims via routers. Threatpost. The first stop for security news.
^ Swati Khandelwal. APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware. The Hacker News. Online Cyber Security News & Analysis.
^ Duncan Riley. Malicious six-year-old ‘Slingshot’ malware campaign found lurking in routers. SiliconANGLE. IT News.
^ Alexey Shulmin, Sergey Yunakovsky, Vasily Berdnikov, Andrey Dolgushev. The Slingshot APT FAQ. Securelist. Kaspersky Lab's cyberthreat research and reports.