According to the Moscow-based security firm, Kaspersky Lab, a newly discovered but relatively old malware Slingshot. It is one of the most advanced attack platforms they have ever discovered. All indications seem to suggest that the malware was created on behalf of a well-resourced country and for purposes of espionage.
Kaspersky Lab says the level of sophistication that went into creating the Slingshot malware only rivals the following malware that were also so potent that they broke records with their ingenuity:
Project Sauron – This malware was very potent and managed to hide away from security software for years.
Regin – an advanced backdoor that infected the Belgian telecom Belgacom among other high profile targets.
In a 25-page report published last Frida, researchers at Kaspersky Lab wrote:
“The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform. The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor.”
How it spreads
The researchers say they have not yet narrowed down to establish just how exactly Slingshot initially infects its targets. However, in several cases, it seems the Slingshot operators gained access through routers made by the Latvian manufacturer MikroTik and went ahead to implant malicious code in it.
The specifics on how it infects MikroTik routers is still not yet known, but it seems Slingshot is using the router’s configuration utility called Winbox to download dynamic link library files from the router’s file system.
One of these files is ‘ipv4.dll’, a malicious download agent created by the malware’s developers. Then Winbox transfers the ipv4.dll to the targeted computers. Once a computer is infected, Winbox further loads ipv4.dll into the device’s memory and executes it.
The researchers further claim, Slingshot further users other methods to spread, such as zero-day vulnerabilities. The malware is believed to have been created from as early as 2012 and has been operational up to until last month when security software finally netted it. The fact that it has managed to hide from antivirus and anti-malware security software for so long says it was a masterpiece creation by a well-resourced organization; something typical of state-backed hackers.
The researchers also claim Slingshot could have been using an encrypted virtual file system located in unused parts of a hard drive to conceal itself. The malware could have been segregating malware files from the file system of the computer it has infected; thus making it incredibly impossible for virtually all antivirus engines to detect its presence.
Other possible stealth techniques the malware could have been employing could be encrypting all text strings in its multiple modules, and calling system services directly to bypass all the hooks used by the security software and even going as far as shutting down when forensic tools are loaded onto the computer.
What was the primary purpose of Slingshot?
Researchers believe this malware is state-sponsored for purposes of espionage. According to the analysis by Kaspersky Lab, Slingshot was used to log users’ desktop activity, collect screenshots, clipboard content, network data, keyboard data, USB connection data, and passwords.
Slingshot’s ability to access the OS kernel meant it had access to any and all data stored on your computer’s internal memory. Kaspersky says that most of the infected computers were primarily located in Kenya and Yemen. There were also traces of it in Tanzania, Somalia, Sudan, Iraq, Turkey, Jordan, Congo, Libya, and Afghanistan.
Majority of the victims appears to be individuals, though there are few incidences where the malware-infected computers in organizations and institutions.
It’s a creation by a might State
The malware’s debug messages were written in perfect English, which seems to suggest that the developer spoke the language very well. Kaspersky Lab, however, did not mention which country it suspects sponsored the malware or identify its developer, but they did say for sure it was developed at the behest of a mighty nation.
“Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable, and to the best of our knowledge, unique,” wrote Kaspersky Lab in a report.