Malware "Slingshot" secretly spread through the router for more than 6 years will be specified

byAndres Atehortua

Computer security company'sKasperskyWhile analyzing the cases suspected of keylogger,Virtual file systemMalware intervening in "Slingshot"We announced that it identified. According to Kaspersky, Slingshot knows that it infected more than 100 PCs for at least 6 years until it was specified in 2018, how to use the router as an infection route. SlingshotProject SauronYaReginIt is a complex and sophisticated attack platform comparable to that of the Middle East, and damage has been reported mainly in Africa from the Middle East.

Slingshot: Riding on a hardware Trojan horse - Kaspersky Lab official blog
https://www.kaspersky.com/blog/web-sas-2018-apt-announcement-2/21514/

The Slingshot APT FAQ - Securelist
https://securelist.com/apt-slingshot/84312/

(PDF file) The Slingshot APT Version: 1.0 (06.March.2018)
https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf

Slingshot is a network product manufacturer in LatviaMikroTikIt turned out that we used an unknown fragility in the router made by us. Routers are doing normal work, downloading and executing various DLL files. The hacking group knows that one of the legitimate DLL files was replaced with a malicious DLL with the same file size being exactly the same, so that Slingshot was hidden in the router. However, I do not know yet how "could I hide a malicious DLL in the router at the very beginning?"

And if you execute MikroTik 's official router management software "Winbox Loader", malicious DLL files will be loaded and executed on the connected terminal. MikroTik has already dealt with this problem and Kaspersky is calling to immediately update the firmware when using a MikroTik router, but "a similar attacker router It may not be limited to MikroTik "warning.


Slingshot consists of two modules, "Cahnadr" and "GollumApp". CahnadrKernel modeIt is also possible to crash the whole file system and execute a malicious program without issuing a blue screen in the module. GollumApp is a user mode module which can capture screenshots, steal data on the clipboard, steal network information, steal passwords stored in web browsers, and so on.


Furthermore, Slingshot was designed skillfully to avoid detection by security software, such as aborting the program immediately after confirming the movement of security software and completing the task before the PC is shut down. As a result, the specification was delayed, and since the first sample was detected in 2012, it has been idle for at least 6 years until 2018.

According to Kaspersky's survey, the damage of Slingshot has been confirmed in Africa · Middle East area including Afghanistan · Libya · Congo · Jordan · Turkey · Sudan · Iraq · Somalia · Tanzania, mainly in Kenya and Yemen. More than 100 PCs were damaged, including those of government-affiliated institutions and companies.


The sample which was investigated was recorded as "version 6.x", and it is expected that the necessary skill and cost to develop this complex malware for a long time will be very high. In addition, since the text in the code contained English, it is also suggested that the hacking group may have English as their mother tongue. Therefore, Kaspersky insists that the hacking group that created this Slingshot is a highly organized professional group and the possibility that the state is sponsored is also high.