Published: Tue, March 13, 2018
Industry | By Terrell Bush

Slingshot malware has gone undetected in routers for six years

Slingshot malware has gone undetected in routers for six years

Researchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years.

The malware appears to have been narrowly used with Kaspersky counting just 100 detections among its users between 2012 and February 2018.

The researchers don't know precisely how Slingshot infected all of its targets, but in some cases the malicious app was planted inside MikroTik routers that Slingshot operators got access to.

The researchers identified a malicious library that was able to interact with a virtual file system that they noted was a good sign of the presence of an advanced persistent threat, whereby an unauthorised person or programme gains access to a network and lurks there undetected for some time with the intention of swiping data, rather than causing damage. As such, Slingshot looks like it may have been produced for the objective of espionage rather than money-making. It's a highly sophisticated cyber espionage tool that matches known platforms Project Sauron and Regin in complexity.

"The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor", the researchers noted in their report. During these attacks, the group behind Slingshot appears to compromise the routers and place a malicious dynamic link library inside it that is in fact a downloader for other malicious components. So yeah, it's pretty damn smart. Kaspersky analysis shows that the malware is configured to collect a wide swath of data from victims' computers, including screenshots, keystrokes, networking information, user passwords, USB connection and clipboard information, among other things.

Slingshot first infects the router and then loads two powerful modules called Cahnadr (kernel-mode module) and GollumApp (user-mode module) on the victim's computer. It can disable the disk defragmentation feature in Windows OS to prevent the relocation of the data stored by Slingshot on the hard drive.

Over half the compromised computers were in Kenya and Yemen, with the remainder in Libya, Afghanistan, Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and United Arab Emirates.

Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like Kaspersky Threat Management and Defense solution (

First Victim of Deadly NYC Helicopter Crash Identified
Two years earlier, another of its helicopters crashed in the Hudson River, though all of the people aboard survived. The pilot was able to cut himself free from his seat-restraints and make it to the surface to be rescued.

Kaspersky didn't speculate as to why machines in these nations were targeted, but the organisation noted that debug messages were written in ideal English. Coincidence? We're not so sure.

The malware is present in certain routers manufactured by MicroTik, though Kaspersky says it might also be affecting models by other brands as well.

According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector.

Slingshot has an encrypted file system of its own.

"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation", said Kaspersky. It employs techniques to bypasses security products, and it encrypts all strings - the individual command lines - in its modules.

Further details of Slingshot and its origins have yet to surface.

Researchers also recommend the people using MikroTik routers to update the latest software accessible as early as they can. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.

Like this: