“Highly sophisticated” cyberespionage
Slingshot was found by researchers at Kaspersky Lab who discovered it residing in compromised routers made by MikroTik. Kaspersky said that other router manufacturers may have also been targeted by Slingshot’s creators.
The malware installs itself by forcing the router to download a malicious software library file. This specially crafted library then downloads a package of other files which deliver the rest of the Slingshot suite. The components are stored inside the router and provide a fully-featured espionage utility.
It’s unclear how Slingshot goes about infecting devices after it’s entered the router. According to Kaspersky, it is able to obtain system-level access to machines connected to the network. Using its collection of malicious payloads, Slingshot’s able to capture and store desktop screenshots, keyboard data, passwords and files. The malware doesn’t utilise any operating system vulnerabilities, instead relying on a highly advanced built-in toolkit.
READ NEXT: Cyberattacks using Microsoft PowerShell soar by over 400%
Slingshot is so sophisticated that it includes several ways to evade detection. The malware is stored within an encrypted virtual file system, within which every individual file is also encrypted. The software will even shut itself down if a forensic analysis tool is operating, making it virtually impossible to identify using regular means.
Slingshot’s also reliable and resilient to failure. Kaspersky said it’s capable of executing its code without impacting on the regular operations of the target machine. Unlike other malware operating at the kernel-level, Slingshot appears not to adversely affect system stability. The researchers haven’t observed any blue screens or operating system crashes caused by the malware’s presence.
“Well-resourced” actor
The sophistication of the suite strongly suggests that its creators are highly capable cybercriminals with state-sponsored backing. The tool appears to have been developed as part of a nation-grade cyberespionage suite designed to go unnoticed in sensitive environments. The origins of the attackers aren’t clear, but Kaspersky said it’s mostly targeted victims in Africa and the Middle East. The company added that a “well-resourced actor” is the most probable culprit.
“The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform,” said Kaspersky. “The malware is highly advanced, solving all sort of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor.”
Since being contacted by Kaspersky, MikroTik has resolved the problem and secured its devices. Customers should download the latest version of MikroTik’s WinBox management software to apply the patches
It remains unknown how many other device vendors may also be impacted. It’s possible Slingshot is currently installed in networks across the globe. As it’s gone unnoticed for six years, it will take time before the true scale can be established.
