Slingshot Router Malware Has Been Lurking For Years And Is Likely State Sponsored

Researchers from Kaspersky Lab have discovered a new type of malware that they have dubbed “Slingshot”. Here’s what you need to know about it:

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

They key thing to note about “Slingshot” is that Kaspersky believes that a nation state was behind it and was likely used for espionage purposes. It can capture functions like logging to network, accessing the data on an infected machine’s hard drive or internal memory due to the ability to access an operating system’s kernel level. And it can avoid detection in some very clever ways. Finally, it might have been out there since 2012. That’s kind of scary. If you use the Mikrotik router (for the record, they’re a Latvian based company), updating your firmware is the best defense. Though 100 victims of “Slingshot” located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania have been identified and it appears that they were targeted by this unknown nation state.

You can fully expect to see more attacks like these pop up into the wild.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: