The researchers identified a malicious library that was able to interact with a virtual file system which they noted was a good sign of the presence of an advanced persistent threat, whereby an unauthorised person or programme gains access to a network and lurks there undetected for some time with the intention of swiping data rather than causing damage. As such, Slingshot looks like it may have been produced for the objective of espionage rather than money-making. It's a highly sophisticated cyber espionage tool that matches known platforms Project Sauron and Regin in complexity.
Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory - an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools.
Kaspersky Lab stated that, "Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard and more".More news: Adobe Systems (NASDAQ:ADBE) Receives Daily Coverage Optimism Rating of 0.28
"Among the malware Slingshot used were two masterpieces: a kernel mode module called Cahnadr and GollumApp, a user mode module". Slingshot is also capable of accessing the data on an infected machine's hard drive or internal memory due to the ability to access an operating system's kernel level.
The majority of compromised computers were located in Kenya and Yemen, but the researchers detected infected systems in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.
Kaspersky Labs noted that the malware's debug messages were written in ideal English.
"Accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error", Kaspersky's researchers said, so that's worth bearing in mind. "We believe that most of the victims we observed appeared to have been initially infected through a Windows exploit or compromised Mikrotik routers".More news: Grab to offer loans, insurance with new fintech platform Grab Financial
It then launches an attack on the target PCs. The malware also encrypted all text strings in various modules directly to bypass security products. "Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive", Kaspersky says.
"The development time, skill and cost involved in creating Slingshot's complex toolset is likely to have been extremely high".
Slingshot is believed to be active since 2012 through February 2018.
The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in ideal English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Affected users are advised to update their router firmware to the latest version. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.More news: CM Punk Reveals When He'll Be Fighting Next