Slingshot APT

Researchers at Kaspersky have uncovered a new cyber-espionage threat, that targets routers and uses them as a springboard to attack computers within a network, it has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques.

The hacking group used a piece of advanced malware dubbed Slingshot to infect hundreds of thousands of victims in the Middle East and Africa by hacking into their routers.

The attack vector:
Although it is unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks, which revealed the ChimayRed exploit, now available on GitHub, to compromise Mikrotik routers.

Once the router is compromised, the attackers replace one of its DDL (dynamic link libraries) file with a malicious one from the file-system, which loads directly into the victim’s computer memory when the user runs Winbox Loader software.

The malicious tools:

Among the malware Slingshot used were two masterpieces: a kernel mode module called Cahnadr and GollumApp, a user mode module.

Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer. Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection. 

The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions. Thanks to those modules, Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more. And all without exploiting any zero-day vulnerabilities and maintains communication with remote command-and-control servers.

Silent but deadly:

What makes Slingshot really dangerous is the numerous tricks its actors use to avoid detection. It can even shut down its components when it detects signs that might indicate forensic research. Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive.

The victims include most of the times individuals and some government organizations across various countries including Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.