Slingshot mode of operation

Kasperksy Lab has revealed today the existence of a new cyber-espionage group that has leveraged MikroTik routers to infect victims in an attack that researchers described as "unique."

Experts codenamed this group Slingshot, and evidence suggests they started operations in 2012 and were still active in February 2018.

Kaspersky experts said that because the group was active for more than half a decade, used extremely complex malware, and carried out very targeted operations; Slingshot appears to be a state-sponsored group and not your regular cyber-criminal operation focused on personal profits.

Slingshot relied on Windows exploits, hacked MikroTik routers

What impressed Kaspersky the most was the level of complexity of the entire hacking operation. The malware was very sophisticated, expensive in time and money to develop, didn't trigger errors, and the method of delivery was innovative.

While in some cases Slingshot relied on classic Windows exploits to infect targets, the attacks that stood out the most were the ones where crooks delivered their payloads by hacking into MikroTik routers.

The Slingshot group used these routers as staging points to deliver other payloads to their desired targets. The way they did this was via Winbox Loader, an application developed by MikroTik to help Windows users configure their routers.

This app works by downloading some DLLs from the router itself, but the Slingshot group replaced these files with malicious ones that infected the user when he tried to configure or reconfigure his router via the Winbox Loader app.

Slingshot malware

Researchers say that Slingshot usually infected users with two families of malware, namely GollumApp and Cahnadr (detected by other security vendors as NDriver). Both strains work together for information gathering, persistence, and data exfiltration.

Slingshot APT deployed the GollumApp and Cahnadr strains

GollumApp is the larger malware, with nearly 1,500 code functions for various operations. Cahnadr is more advanced, as it's meant to operate as a kernel-mode program.

Kaspersky experts say that Cahnadr shows the group's skills level, as the malware can infect even the latest Windows OS versions and works without crashing systems into a BSOD, as most kernel-level malware tends to do at one point or another.

On recent Windows versions, Cahnadr gains kernel-level access by using one very clever trick. To avoid the Microsoft's Driver Signature Enforcement requirement that prevents the installation of unsigned drivers, the Slingshot group installs older versions of legitimate drivers. It then uses known vulnerabilities in these older driver versions to elevate Cahnadr's access so it can access kernel operations.

Kaspersky says it notified MikroTik about Slingshot's mode of operation and MikroTik has modified the Winbox Loader software so it will not download anything from a local router.

As for attribution, Kaspersky experts have not made any official statements except to say that "text clues in the code suggest [Slingshot] is English-speaking."

Based on current evidence, Slingshot appears to have focused on infecting lone individuals —not entire organizations— in the Middle East and North Africa.

Slingshot targets

More details about Slingshot's operations are available in this 25-page report published today by Kaspersky Lab.

Image credits: Kaspersky Lab

Related Articles:

Seedworm Spy Gang Stores Malware on GitHub, Keeps Up with Infosec Advances

New Cannon Trojan Is the Latest Asset of Sofacy APT Group

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

State-Sponsored Actors Focus Attacks on Asia