UPDATED 22:04 EST / MARCH 11 2018


Malicious six-year-old ‘Slingshot’ malware campaign found lurking in routers

Researchers at Kaspersky Labs have detailed a possibly state-sponsored “Advanced Persistent Threat” malware campaign that has gone under the radar for six years before being detected.

Dubbed “Slingshot” due to the use of the name in the primary malware code, the APT campaign, revealed Friday, is believed to have been operating since 2012 without being noticed. The malware, which resides in routers made by Latvian hardware maker MikroTik, likely wasn’t detected before now because routers are usually only accessed by IT staff in an enterprise environment.

Despite its discovery, the researchers themselves don’t know how the malware spreads. The initial part of the attack replaces a dynamic link library file on a given router with a malicious one, which then targets any computer connected to the router by targeting its memory when the user runs Winbox Loader software — software used by Mikrotik router users.

Once that occurs, the computer connects to a remote server to download the primary Slingshot malware. That malware consists of two modules, Cahnadr and GollumApp, both of which facilitate data theft.

“Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer,” Kaspersky explained. “Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions.”

So far Slingshot has only been detected in MikroTik routers, but the researchers noted that the methodology could easily be applied to other brands of routers as well.

“I’ve never seen this attack vector before, first hack the router and then go for sysadmin,” Costin Raiu, Kaspersky’s director of global research and analysis, told The Register. “We’ve seen a lot of attacks against sysadmins but sometimes it’s tricky to find them. This is a very good way to hack the sysadmin and get the keys to the kingdom – it’s a completely new strategy.”

Kaspersky recommended that MikroTik users should make sure they are running both the latest versions of the router firmware as well as the WinBox managing software.

Image: Kaspersky

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy