It is not uncommon for malware researchers to discover infections that manage to stay hidden for weeks or months; however, it is rare to face malware that is capable of concealing itself for years. The creator of Slingshot malware was able to do that. At the moment, it is not yet known who the developers of this malicious software are, but experts weigh in that they must be highly experienced and financially funded. SC Media recently spoke to a security scientist, Joseph Carson, who suggests that “a nation state actor” is hiding behind Slingshot. The researchers at Securelist agree that the attack of this malicious infection could be “state-sponsored.” This group of malware analysts has recently shared their findings after researching the threat, and it is believed that the threat could have been active since, at least, 2012, which is when the earliest found sample dates back to.
According to the latest findings, Slingshot has been found on at least 100 computers, most of which were located in Kenya and Yemen. Other victims were found in Afghanistan, Iraq, Libya, Somalia, Turkey, and other countries in Africa and the Middle East. Although malware was found on the computers of government-level institutions, in most cases, the victims were individual users. The invasion of the malicious Slingshot is still pretty mysterious. The threat was found when Securelist researchers discovered a malicious library capable of interacting with a virtual system. On several occasions, it was found that the threat was attacking via compromised routers that belong to a Riga-based company, MikroTik. It was found that if the threat managed to compromise the router, it would start malicious processes immediately. That being said, other backdoors – for example, those linked to Windows exploits – might have been used to invade the operating systems of unsuspecting users.
The research revealed that when the malicious launcher of Slingshot was in place, it would replace an authentic Windows library file called “scesrv.dll” with a malicious DLL. The size of this imposter is the same to conceal the replacement. After that, the infection would load the malicious library using a malicious process with system privileges to load Slingshot components. Although multiple components are loaded, two of them are the most important: GollumApp (user mode) and Cahnadr (kernel mode). GollumApp runs in user mode and Cahnadr runs in kernel mode, which allows the attackers to take full control of the computer. To pass executable code into this mode, the malware might exploit CVE-2007-5633, CVE-2009-0824, and CVE-2010-1592 vulnerabilities. In kernel mode, Slingshot can gather personal information, and none of it is off-limits. Malware can record keystrokes, capture screenshots, track network data, as well as steal passwords, social security numbers, credit card data, and similar sensitive information. Attackers can use it to steal virtual identity and cause serious security issues.
GollumApp, according to Securelist, contains around 1500 user-code functions. It is injected by Cahnadr, which provides access to the hard drive and memory. When the information is collected, GollumApp encrypts it twice and sends it to a remote server, while Cahnadr ensures that this is done silently. If the user checks traffic, it appears to be clear. Slingshot also encrypts all strings in its modules to ensure that it stays hidden. Also, it has the ability to call system services directly to circumvent detection by anti-malware software. This is why Slingshot is considered to be a pretty advanced piece of malware, and why it managed to say hidden for so long. Now that it was uncovered, MikroTik have patched the vulnerability that was exploited by malware, and it is up to the users of routers to install the latest update ASAP. This is one of the security measures that must be taken.
It is likely that we will continue uncovering new information about Slingshot in the future because there are still many unknowns, and many questions are still unanswered. At the moment, it is even hard to say how exactly this malware could spread, or to comprehend how much damage it could make. Clearly, it is important to do everything it takes to ensure that Slingshot does not invade. If you are using MikroTik, upgrade your software to the latest version immediately. Also, install all security updates for your operating system to ensure that all vulnerabilities are patched. Do not skip this step because there are thousands of other infections that could be exploiting these vulnerabilities to get inside and wreak havoc.
Millman, R. March 12, 2018. APT hackers hid Slingshot malware in routers for six years. SCMedia.
Shulmin, A., Yunakovsky, S., Berdnikov, V., Dolgushev, A. March 9, 2018. The Slingshot APT FAQ. SecureList.