Researchers have uncovered malware that has kept hidden since 2012, dubbing the malicious strain Slingshot after names found within the files. Despite only 100 systems found infected, Slingshot is sophisticated and no short of a “masterpiece” according to its discoverers.
Slingshot was revealed by researchers at Kaspersky Lab as a Trojan horse, in that the malicious code piggybacked off compromised MikroTik routers. Once Slingshot has access to the network, it replaces a library file with a malicious version that in turn downloads the necessary files to launch a two-pronged attack on the computer itself.
One is a kernel mode module called Cahnadr that enables the attacker to gain complete access to the system, including deep access to storage and memory. It can even allow the intruder to execute code without falling victim to a blue screen. The other is a user mode module called GollumApp that contains 1,500 user-code functions.
Image Credit: Kaspersky Labs
According to Kaspersky experts, this allows Slingshot to “collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more. And all without exploiting any zero-day vulnerabilities.”
The researchers note that owners of a MikroTik router and WinBox managing software should download the latest version of the program alongside updating the router itself to the latest version on its operating system. This will protect against the one attack vector, but unfortunately not the APT itself, which will require a much more comprehensive approach that Kaspersky offers more details on here.
Slingshot’s origin hasn’t been confirmed, but has been speculated to be state-sponsored in that it is intended for a specific purpose that it likely politically motivated rather than malicious intent to the everyday user.
Discuss on our Facebook page, HERE.
KitGuru Says: Nothing has been confirmed beyond the function of the malware itself, leaving motivation and use in question. Considering Slingshot has access to sensitive data, it’s not worth brushing off if there’s a possibility the system you’re using could be infected.