Malware that stayed hidden for 6 years spread via routers

The main purpose of the malware appears to be espionage.

  • Published: March 13, 2018 6:13 PM IST

Researchers have discovered a malware so shady that it stayed hidden for over six years despite having hit over hundreds of computers over the years. Called Slingshot, the malware is one of the most advanced attack platforms ever discovered, researchers with Kaspersky Lab reported.

“The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform,” Kaspersky Lab researchers said. “The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor.”

The main purpose of the malware appears to be espionage. Kaspersky Lab’s analysis suggested Slingshot was used to log desktop activity and clipboard contents and to collect screenshots, keyboard data, network data, passwords, and USB connection data.

While the researchers still don’t know precisely how Slingshot initially infected all its targets, several cases point out that the Slingshot operators may have gotten access to routers made by MikroTik, and planted a malicious code in it.

The researchers mention in a Slingshot FAQ saying, “Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel-mode module, and GollumApp, a user-mode module. The two modules are connected and able to support each other in information gathering, persistence, and data exfiltration.

The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control, and C&C communications.”

Apparently, the Slingshot may have used other methods, including zero-day vulnerabilities, to spread. It has been active since at least 2012 and remained operational through last month. The ability for such a full-featured piece of malware to remain hidden for so long is one of the things that makes it so advanced.

  • Published Date: March 13, 2018 6:13 PM IST