APT hackers hid Slingshot malware in routers for six years

News by Rene Millman

Slingshot malware targeted almost 100 victims in the Middle East and Africa since at least 2012

Researchers have discovered malware that managed to infect several routers but stayed hidden for six years. The malware, dubbed Slingshot on account of text found inside some of the recovered malware samples, is one of the most advanced attack platforms ever discovered, according to researchers at Kaspersky Labs. It is thought that the malware was developed by a well- resourced country.

The malware targeted around 100 victims in the Middle East and Africa and used various and techniques to launch attacks. It attacked government organisations across several countries including Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.

Researchers were unable to identify how it infected systems, but somehow, hackers were able to get access to routers made by Latvian manufacturer MikroTik and infect them with the malware as a means of accessing other computers on the network.The initial loader replaces the victim's legitimate Windows library with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others Kaspersky Lab reported.

While for most victims the infection vector for Slingshot remains unknown, researchers were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

The malware also used zero-day vulnerabilities to attack targets. Slingshot used modules called - GollumApp and Cahnadr. The two modules are connected and able to support each other in information gathering, persistence, and data exfiltration. Researchers said that GollumApp contained nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control, and C&C communications. Canhadr, also known as NDriver, contains low-level routines for network, IO operations, etc. Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing a blue screen of death.

Slingshot may have concealed itself by using its own encrypted file system in an unused part of a hard drive. Kaspersky researchers said that the malware can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more.

Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation Kaspersky Lab researchers said. Its infection vector is remarkable—and, to the best of our knowledge, unique, they added.


Javvad Malik, security advocate at AlienVault, told SC Media UK that the attack illustrates once again how criminals will look to compromised devices and the supply chain. “The biggest challenge with these sorts of attacks is ensuring fixes can be applied across the supply chain,” he said.


“Sometimes the router hardware manufacturer doesn't write the code, so even notifying the router manufacturer won't necessarily fix the issue. In many cases though, manufacturers won't issue patches or updates to network products that are no longer shipping, making the task of securing them more difficult. “Where patches are available, users should be encouraged to install them wherever possible. Additionally, enterprises should look to invest in threat detection controls that can monitor network traffic for anomalies and detect where endpoints may have been compromised.”

Joseph Carson, chief security scientist at Thycotic, told SC Media UK that organisations can defend against such attacks by following some basic best practices such as keeping software updated and systems patched. “The vendor MikroTik has already patched this particular vulnerability used in Slingshot as well as other vulnerabilities so applying the latest version will eliminate such risks as well as patching all systems with known vulnerabilities,” he said.

“This is most likely a nation state actor due to the specific sophistication used in the exploit and given its popular use in Eastern Europe, it was probably used to steal and gather intelligence in the region.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews