Spy malware secrets: How complex 'Slingshot' hit targets via hacked routers

Slingshot malware infects PCs via files downloaded from compromised routers.
Written by Liam Tung, Contributing Writer

Video: Microsoft fends off mining malware attack

Researchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years.

The researchers haven't named Slingshot's country of origin, but note the presence of debug messages written in perfect English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit.

Slingshot reached targets using a compromised software update for routers made by Latvian firm MikroTik.

Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory -- an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools.

The two tools, Cahnadr and GollumApp, work in tandem to gather information and hide data collection and exfiltration from the target.

Kaspersky researchers found it can capture screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data.

The researchers haven't discovered how Slingshot infects MikroTik routers to use the WinBox bridge to the PC, however, they note in a technical paper that WikiLeaks' Vault 7 leak of CIA hacking tools did reference an exploit for MikroTik's router OS called ChimayRed.

According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector.

See also: Special report: Cybersecurity in an IoT and mobile world (free PDF)

The malware appears to have been narrowly used, with Kaspersky counting just 100 detections among its users between 2012 and February 2018.

Over half the compromised computers were in Kenya and Yemen, with the remainder in Libya, Afghanistan, Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and United Arab Emirates.

Slingshot hasn't been observed using previously undisclosed flaws but it did use three known vulnerabilities affecting non-Microsoft Windows utilities to load a kernel-mode component of Cahnadr.

According to Kaspersky's FAQ on Slingshot, the GollumApp module features nearly 1,500 functions.

"To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities.

Download now: IT leader's guide to cyberattack recovery

"Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.

"The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications," the FAQ said.

Kaspersky advised anyone who uses MikroTik routers to update to its latest software release. Also, the company says MikroTik's Winbox software no longer allows downloading files from the router to a computer.

Previous and related coverage

Microsoft: Windows Defender can now spot FinFisher government spyware

Microsoft dismantles government-grade malware to improve Windows and Office 365 defenses.

UK government websites, ICO hijacked by cryptocurrency mining malware

US and Australian government domains were also affected by the bold cryptojacking scheme.

Kaspersky hauling Homeland Security to court to overturn federal ban

The Russian security firm claims it did not receive due process and the US government relied on.

Keeping transportation safe in tomorrow's smart city means taking wireless security seriously(TechRepublic)

The industrial IoT systems that run the trains, connected cars, and critical infrastructure in tomorrow's smart cities will depend on secure wireless networks.

Editorial standards