What is ‘Slingshot’ malware?

The malware ‘Slingshot’ got discovered on account of text found inside some of the recovered malware samples. Although it is one of the most advanced attack platforms ever discovered.

Slingshot APT- Attack deployment
Source: Kaspersky Labs

Hackers were able to get access to routers made by Latvian manufacturer MikroTik and infect them with the malware, accessing other computers on the network. The initial loader replaces the victim’s legitimate Windows library with a malicious one of exactly the same size. It interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem.

Victims of ‘Slingshot” malware

The exact number is not known but, Slingshot has infected around 100 users in different countries located in Africa and the Middle East. Slingshot is believed to be active since 2012 through February 2018 and has infected numerous Mikrotik routers across the globe. It’s a highly sophisticated cyber espionage tool that matches known platforms Project Sauron and Regin in complexity.

How ‘Slingshot’ infects a system

One of the ways it can infect Windows machines is through the MikroTik routers and their management software called Winbox Loader. Possibilities of victims getting infected through a Windows exploit has also been discovered by researchers.

Slingshot first infects the router and then loads two powerful modules called Cahnadr (kernel-mode module) and GollumApp (user-mode module) on the victim’s computer. After that, the cyber-espionage tool can collect various information including USB connections, keyboard, clipboard data, network data, screenshots, passwords, etc.

Javvad Malik, a security advocate at AlienVault, told SC Media UK that the attack illustrates how criminals will look to compromised devices. “The biggest challenge with these sorts of attacks is ensuring fixes can be applied across the supply chain,” he said.

MikroTik has been provided the limited set information the researchers currently have regarding the malware. Affected users are advised to update their router firmware to the latest version. It may be possible that Slingshot might have infected users with other routers.