For 6 years, Slingshot APT remained undetected in infected computers until it was discovered by Kaspersky Lab researchers in February of this year. Believed to have been active since as early as 2012, it has been found to be one of the most advanced malware attacks ever.
Slingshot APT (advanced persistent threat) is a malware package made up of smaller components that, once a system is infected, collects confidential data such as passwords, keystrokes, network traffic and other activity all while remaining completely undetected. It is not yet known what information and/or parties Slingshot was targeting, however, according to researchers, it’s primary purpose appears to be cyber-espionage. It is also believed that Slingshot could be a state-sponsored attack due to its complexity.
Slingshot employed extremely sophisticated tactics and techniques to gain kernel-level access to the infected systems. If a process can run at the kernel level, it has the capability to execute code and otherwise manipulate the host system at will as well as hide itself from intrusion detection systems on the host machine.
The attackers used a vulnerability in Mikrotik routers to load infected DLL files onto the device, which was then silently downloaded by Winbox, a configuration utility, when a user connects to the router. Winbox downloading DLL files from the router’s file system was part of the utility’s regular function until Mikrotik patched the software recently in response to the discovery of this vulnerability.
One of the DLLs downloaded by Winbox is a downloader for Slingshot’s primary payloads, and runs with the Winbox process, remaining undetected. For the malware to run in kernel mode and avoid detection, it loaded signed drivers and ran its own code through the driver’s vulnerabilities which would then download and execute its modules.
Most of the work is carried out by two modules. One, called GollumApp, includes most of the functions required for Slingshot to carry out its data collection and antidetection measures. The second, known as Canhadr, carries out routines for network and IO operations. It has full access to the hard drive and system memory all while remaining undetected by debugging and intrusion detection measures. Collected data is encrypted and transmitted through the network, though by hiding exfiltrated data in legitimate call-backs, appearing normal to
The complexity of Slingshot makes it very difficult for organisations to ensure that their data is completely secure, especially when zero-day exploits could be in use. Slingshot is largely believed to have been a targeted, state-sponsored attack, with many media outlets alleging US government involvement. Organisations and their security teams should continue to ensure that their security systems and policies and maintained and up to date with current threats and trends in information security. Many vulnerabilities that are exploited and used to gain access to confidential information are known and have been patched, however software and equipment have not been updated by administrators.
For assistance in protecting your organisation from malware and other threats , please do not hesitate to contact Agilient.
The Agilient Team