Researchers Discover Stealthy Malware That Extends Within Routers

Kaspersky Lab researchers have reported the discovery of a highly sophisticated cyber-espionage campaign which has been named Slingshot and which spreads through compromised routers, at the same time remaining undetected for years.

A report by IBTimes compares Slingshot to malware like Project Sauron and Regin; the report says- “Slingshot is as complex as Project Sauron, the malware that remained undetected for five years and believed to be designed by a state-sponsored group. Another malware, Regin, that infected computers in several countries including India remained undetected for several years.”

Kaspersky Lab researchers, who have discovered the campaign, point out that there are almost 100 Slingshot victims, most of whom are either from African countries or the Middle East. The researchers also reveal that the threat had perhaps started at least in 2012 and could still be active; it was very much active in February.

The researchers at Kaspersky explain that most of the victims initially got their computers infected through compromised MikroTik routers. A report on the Kaspersky blog says- “The first part to understand is the means of infection. What makes this initial attack vector unique is that, according to our research, many victims were attacked through compromised routers made by MikroTik. Routers download and run various DLL files in the normal course of business. Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs. The bad DLL was a downloader for various malicious files, which were also stored in the router.” The report further adds- “Here we need to add that we reported this issue to router manufacturer, and MikroTik has already dealt with this problem. However, our experts believe that MikroTik not the only brand used by Slingshot actors — there may be other compromised devices.”

At the same time, it’s yet to be ascertained as to how the MikroTik routers are compromised. A notable thing about Slingshot is that it can run the malware both in kernel mode and user mode modules, thereby helping hackers have complete control over hacker devices.

The Kaspersky blog post says- “Among the malware Slingshot used were two masterpieces: a kernel mode module called Cahnadr and GollumApp, a user mode module…Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer. Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions.” The post further states- “Thanks to those modules, Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more. And all without exploiting any zero-day vulnerabilities. At least, our experts have not found Slingshot using them yet.”

APTs like Slingshot can be blocked by upgrading one’s MikroTik router to the latest software version and also by adopting a strategic approach to deal with such sophisticated attacks.