An APT (Advanced Persistent Threat) malware, Slingshot, attacks victims by entering via routers and gaining kernel access to control the device entirely. According the Kaspersky researchers, this malware has unique tactics into entering the network as well as effectively stealing sensitive information by hiding itself in the plain day light.
It is created by advanced hackers using highly sophisticated techniques to compromise the victims entirety.
Slingshot APT’s working:
- It enters through routers and places a dynamic link library in the router’s code.
- When an administrator configures the router with his computer, the malicious code will run on the victim’s computer.
- Cahnadr and GollumApp are the main modules being loaded, which are responsible for information gathering, persistence and data exfiltration.
- It collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more, although its kernel access means it can steal whatever it wants.
The infected code suggests itself as version 6.x, and hence suggesting it to be prevalent since quite some time. The complex code would have needed a high amount of time, effort and cost suggesting the developers to be highly organized and professional criminals.
Slingshot is being spread widely via a Latvian router Mikrotik. Its router management software, Winbox, downloads DLLs from the router’s file system and loads them directly into a computer’s memory — an intended feature that Slingshot’s developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools. However, Mikrotik Winbox no longer downloads any files from the router to the user’s computer.
So far, researchers have seen around 100 victims of Slingshot and its related modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of the victims appear to be targeted individuals rather than organizations, but there are some government organizations and institutions. Kenya and Yemen account for most of the victims observed so far.