Newly discovered Slingshot malware was hidden in routers for 6 years

The malware was used against targets in the Middle East and Africa.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The Slingshot malware appears to be deployed primarily in targeted attacks against specific individuals.
  • Security researchers believe that the attack is "probably state-sponsored" given the highly sophisticated and organized nature of the attack.

Securelist, a division of Kaspersky Lab, has identified a highly-advanced malware family called "Slingshot," which appears to have been first deployed in 2012, and was active in February when the researchers finished their investigation. Researchers at Kaspersky Lab have identified nearly 100 targets of the Slingshot APT (advanced persistent threat) including individuals, government agencies, and organizations located primarily in Kenya, Yemen, Libya, and Afghanistan.

The exact attack vector is not clearly known, though the Slingshot APT is known to utilize CVE-2007-5633, CVE-2010-1592, and CVE-2009-0824 to execute code with kernel level privileges, according to the Securelist report. Of particular interest is the role compromised Mikrotik routers play in the Slingshot attack. The researchers note that the attack method of Mikrotik is also unknown, though they point to the "Chimay Red" exploit published by WikiLeaks as part of the "Vault 7" releases of vulnerabilities that WikiLeaks claims originated from the CIA. It is unclear if a zero-day vulnerability is in use in this attack.

SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)

According to the report, users are infected through the "Winbox Loader" configuration program for Mikrotik routers. Under normal operation, the software connects to the router, and transmits data from the router filesystem to the host computer. One of these files—stored on device as chmhlpr.dll, but transferred as ipv4.dll—has a file loader implanted into it, which when run by a host computer, connects to the router to download additional files.

The Securelist Slingshot FAQ states:

Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration.

The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications.

Canhadr, also known as NDriver, contains low-level routines for network, IO operations and so on. Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen - a remarkable achievement. Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection.

GollumApp contains functions that allow it to gather networking information, collect passwords saved in Firefox and Internet Explorer, interact with the clipboard, act as a keylogger, collect information about partitions and USB devices, send notifications when new devices are connected, and inject the module "SsCB" into running processes. SScB, in turn, is able to take screenshots, collect information about open windows, close windows, and system locale.

There are a variety of technologically interesting techniques found across the Slingshot APT. The Slingshot loader itself uses an involved DLL patching technique that inserts the module files into the appropriate file, and compresses part of the original to retain the same file size. It then changes the entry point of the DLL, calculates the checksum of the changed file, and then reverts to the original file after the loader was executed, the report said.

Slingshot also makes use of a virtual filesystem placed in an unused portion of the disk. In order to protect itself, it disables disk defragmentation as this operation may overwrite the hidden filesystem, the report noted. This strategy makes it substantially more difficult for antivirus software—which ordinarily scans filesystem contents, not the raw drive surface itself—to detect Slingshot. It also encrypts text in modules, calls system services directly, and attempts to evade inspection by invoking KdDisableDebugger() when a debugger is active, among other strategies intended to frustrate attempts to observe the behavior of the malware.

Who created Slingshot?

The researchers indicated that the creators of Slingshot are likely English-speaking, based on the perfect English found in debug messages, and the references to the works J.R.R. Tolkien found in component names.

Securelist refrained from naming a specific group as the creators of Slingshot, though noted that the group is "likely to be highly organized and professional and probably state-sponsored."

A representative from Mikrotik provided this comment on the nature of the exploit:

...How this DLL file got it's way inside a MikroTik router in the first place, is unclear. Most likely this is related to a previously discovered vulnerability in the www service, which was patched in March 2017. Please note that devices affected were only those which did not have firewall configured. After the mentioned fixes, we have repeatedly increased RouterOS file system security and made additional internal mechanisms to prevent anything like this in the future. Please keep your devices up to date and configure a firewall (if you disabled the default one) to prevent any unauthorised IPs from accessing your router.

Also see

Image: iStockphoto/stevanovicigor

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox