Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory - an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools.
Researchers at Kaspersky Lab have discovered a sophisticated advanced persistent threat (APT) that has been used for cyber espionage in the Middle East and Africa from at least 2012 until February this year.
Kaspersky Lab found sophisticated cyber-espionage malware, which is the more than most advanced malware hiding since almost six years in routers.
Slingshot was revealed by researchers at Kaspersky Lab as a Trojan horse, in that the malicious code piggybacked off compromised MikroTik routers. So yeah, it's pretty damn smart.
Cyber espionage appears to be the main aim of Slingshot, with analysis suggesting it harvests screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more. Despite only 100 systems found infected, Slingshot is sophisticated and no short of a "masterpiece" according to its discoverers.
It could also load powerful malware modules such has the Cahnadr and GollumApp, two modules able to support each other in an operating system's kernel, and user modes that enable information gathering and data exfiltration. However, we would tenuously speculate that the malware may have come from Western state-actors and was used to snoop on nations known to be hotspots of conflict, insurgency, or illicit activity.
The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in flawless English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit.
"Accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error", Kaspersky's researchers said, so that's worth bearing in mind.
Slingshot appeared to spread through routers designed by Latvian company MikroTik, although Kaspersky has noted that other techniques, such as the exploitation of zero-day vulnerabilities, could have helped spread the threat. Slingshot then launches an attack on two fronts with Canhadr running low-level kernel code that lets it operate across a system and the GollumApp which focuses on the user-level, managing the file system to ensure the malware survives. Kaspersky says it has given MikroTik all its information and that MikroTik's software no longer downloads anything from the users' routers to their computers.
One incredibly sophisticated thing the malware did to hide its existence was to use an encrypted virtual file system located in an unused part of the hard drive. These include encrypting all strings in its modules, calling system services directly in order to bypass security product hooks, using a number of anti-debugging techniques and selecting which process to inject depending on the installed and running security solution processes.
"Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation", said Kaspersky. "Its infection vector is remarkable - and, to the best of our knowledge, unique", the researchers write in the report, released Friday. We doubt the average Joe has to worry about the malware given it looks like it was acutely targeted.