State-sponsored malware has been uncovered in a particular brand of routers in an attack dubbed 'Slingshot' by Kaspersky Lab. The malware has been around for six years, Kaspersky claims, but has only infected around 100 devices worldwide.
Researchers at Kaspersky claim that they dug-up the malware while analysing a suspected keylogger.
The researchers identified a malicious library that was able to interact with a virtual file system that they noted was a good sign of the presence of an advanced persistent threat, whereby an unauthorised person or programme gains access to a network and lurks there undetected for some time with the intention of swiping data, rather than causing damage.
Kaspersky's researchers claim Slingshot malware was part of a highly sophisticated attack platform that rivals the Reign and Project Sauron malware that has been suspected of being developed by nation-state sponsored actors. As such, Slingshot looks like it may have been produced for the purpose of espionage rather than money-making.
It can bypass security measures, such as Driver Signature Enforcement, by loading signed vulnerable drivers and running its own code through those security holes
"The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform," the researchers claimed.
The report continues: "The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor."
Slingshot worms its way onto a machine by replacing the legitimate Windows dynamic link library with a malicious version. Once done, it connects to a hardcoded IP and port, found to be a router's IP address, and then uses the connection to download other malicious components to carry out its espionage, hence why it forms a malware platform.
It can bypass security measures, such as Driver Signature Enforcement, by loading signed vulnerable drivers and running its own code through those security holes.
It could also load powerful malware modules such has the Cahnadr and GollumApp, two modules able to support each other in an operating system's kernel, and user modes that enable information gathering and data exfiltration.
The data thought to be Hoovered up includes everything from desktop activity logging to network data and passwords. Slingshot is also capable of accessing the data on an infected machine's hard drive or internal memory due to the ability to access an operating system's kernel level.
Infected machines cropped up in the likes of Libya, Afghanistan, Jordan, the Congo, Sudan and Somalia, and appeared to mainly target individuals.
Kaspersky didn't speculate as to why machines in these nations were targeted, but the organisation noted that debug messages were written in perfect English.
"Accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error," Kaspersky's researchers said, so that's worth bearing in mind.
Slingshot appeared to spread through routers designed by Latvian company MikroTik, although Kaspersky has noted that other techniques, such as the exploitation of zero-day vulnerabilities, could have helped spread the threat.
Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation
Kaspersky doesn't have any specifics of how Slingshot appeared on MikroTik routers, but it looks like the router's Winbox configuration utility was exploited to load dynamic link library files. The malware then makes the jump from routers to connected PCs by transferring a malicious downloader file, which is then loaded into a computer's memory and executed, setting the infection into motion.
Slingshot appears to have been active since as far back as 2012, suggest Kaspersky. It was able to hide from detection by using an encrypted virtual file system that was cloaked in an unused part of a hard drive. Slingshot also kept malware files separate from an infected machine's file system, which helped keep it away from the noses of anti-virus software.
"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable - and, to the best of our knowledge, unique," the researchers noted and explained that as of February 2018 Slingshot still appears to be active.
Users of MicroTik routers are advised to update to the latest software.
Further details of Slingshot and its origins have yet to surface, but it looks like ordinary individuals and organisations have (too) much to fear from the malware - unless and until a sample falls into the hands of the wider cyber crime community.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all