Kaspersky Lab, the Russian cybersecurity and antivirus solutions firm, has discovered cyber-espionage malware that attacks and infects victims through compromised network routers.
The malware, dubbed "Slingshot," was used in cyber-espionage attacks in the Middle East and Africa from at least 2012 until last month, according to a prepared statement.
How Does Slingshot Work?
Slingshot frequently is used to compromise routers, Kaspersky indicated. The malware first places a malicious link library inside a router. Then, when an administrator logs in to configure the router, the device's management software downloads and runs the malicious components on the administrator's computer.
After an administrator's router is infected, Slingshot loads Cahnadr, Gollum and other app modules onto the device, Kaspersky stated. These modules are connected to one another and perform information gathering and data exfiltration.
Slingshot works as a passive backdoor and does not have a hardcoded command and control (C&C) address, Kaspersky pointed out. Instead, the malware obtains a C&C address from an administrator by intercepting network packages in kernel mode and checking to see if there are two hardcoded magic constants in the header. Once Slingshot obtains the C&C address, it establishes an encrypted communication channel to the address and uses it to transmit administrator data for exfiltration.
Why Are Hackers Using Slingshot?
Slingshot's main purpose appears to be cyber-espionage, according to Kaspersky. The malware is used to collect a wide range of administrator data, including:
- Clipboard data.
- Keyboard data.
- Network data.
- USB connections.
In addition, Slingshot can run in kernel mode to "steal whatever it wants," Kaspersky said. Slingshot hides its traffic in marked data packets that it can intercept without trace from everyday communications.
Slingshot also uses advanced techniques to evade detection by anti-malware software and other cybersecurity solutions. These techniques include:
- Calling system services directly to bypass security product hooks.
- Encrypting all strings in its modules.
- Selecting an injection process based on the security solution that has been installed and its processes.
- Using anti-debugging techniques.
Kaspersky researchers identified roughly 100 Slingshot victims located in the Middle East and Africa. Most Slingshot victims appear to be targeted individuals, Kaspersky noted, and some government organizations and institutions have been targeted as well.
Furthermore, the initial Slingshot samples were marked as "version 6.x." This suggests Slingshot has existed "for a considerable length of time," Kaspersky stated.
How Can Organizations Combat Slingshot Attacks?
Kaspersky offered the following recommendations to help organizations detect and block Slingshot attacks:
- Use a corporate-grade security solution in combination with anti-targeted attack technologies and threat intelligence.
- Provide security staff with access to the latest threat intelligence data.
- Leverage managed protection services to proactively detect advanced threats and speed up incident response.
Slingshot is a "sophisticated threat," Kaspersky Lead Malware Analyst Alexey Shulmin said. As such, organizations must understand the cybersecurity landscape and deploy effective security measures to combat Slingshot and other advanced cyber threats.