
Kaspersky Lab, the Russian cybersecurity and antivirus solutions firm, has discovered cyber-espionage malware that attacks and infects victims through compromised network routers.
The malware, dubbed "Slingshot," was used in cyber-espionage attacks in the Middle East and Africa from at least 2012 until last month, according to a prepared statement.
How Does Slingshot Work?
Slingshot frequently is used to compromise routers, Kaspersky indicated. The malware first places a malicious link library inside a router. Then, when an administrator logs in to configure the router, the device's management software downloads and runs the malicious components on the administrator's computer.
After an administrator's router is infected, Slingshot loads Cahnadr, Gollum and other app modules onto the device, Kaspersky stated. These modules are connected to one another and perform information gathering and data exfiltration.
Slingshot works as a passive backdoor and does not have a hardcoded command and control (C&C) address, Kaspersky pointed out. Instead, the malware obtains a C&C address from an administrator by intercepting network packages in kernel mode and checking to see if there are two hardcoded magic constants in the header. Once Slingshot obtains the C&C address, it establishes an encrypted communication channel to the address and uses it to transmit administrator data for exfiltration.
Why Are Hackers Using Slingshot?
Slingshot's main purpose appears to be cyber-espionage, according to Kaspersky. The malware is used to collect a wide range of administrator data, including:
In addition, Slingshot can run in kernel mode to "steal whatever it wants," Kaspersky said. Slingshot hides its traffic in marked data packets that it can intercept without trace from everyday communications.
Slingshot also uses advanced techniques to evade detection by anti-malware software and other cybersecurity solutions. These techniques include:
Kaspersky researchers identified roughly 100 Slingshot victims located in the Middle East and Africa. Most Slingshot victims appear to be targeted individuals, Kaspersky noted, and some government organizations and institutions have been targeted as well.
Furthermore, the initial Slingshot samples were marked as "version 6.x." This suggests Slingshot has existed "for a considerable length of time," Kaspersky stated.
How Can Organizations Combat Slingshot Attacks?
Kaspersky offered the following recommendations to help organizations detect and block Slingshot attacks:
Slingshot is a "sophisticated threat," Kaspersky Lead Malware Analyst Alexey Shulmin said. As such, organizations must understand the cybersecurity landscape and deploy effective security measures to combat Slingshot and other advanced cyber threats.