Potent malware that hid for six years spread through routers

EnlargePotent malware that hid for six years spread through routers

Kaspersky Lab

reader comments


with 83 posters participating

Share this story

Share on Facebook

Share on Twitter

Share on Reddit

Researchers have discovered malware so stealthy it remained hidden for six years despite infecting at least 100 computers worldwide.

Slingshot—which gets its name from text found inside some of the recovered malware samples—is among the most advanced attack platforms ever discovered, which means it was likely developed on behalf of a well-resourced country, researchers with Moscow-based Kaspersky Lab reported Friday. The sophistication of the malware rivals that of Regin—the advanced backdoor that infected Belgian telecom Belgacom and other high-profile targets for years—and Project Sauron, a separate piece of malware suspected of being developed by a nation-state that also remained hidden for years.

Complex ecosystem

“The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform,” Kaspersky Lab researchers wrote in a 25-page report published Friday. “The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor.”Potent malware that hid for six years spread through routers

The researchers still don’t know precisely how Slingshot initially infected all its targets. In several cases, however, Slingshot operators got access to routers made by Latvian manufacturer MikroTik and planted a malicious code in it. Specifics of the router technique still aren’t known, but they involve using a MikroTik configuration utility called Winbox to download dynamic link library files from the router’s file system. One of the files, ipv4.dll, is a malicious download agent created by the Slingshot developers. Winbox transfers ipv4.dll to the target’s computer, loads it into memory, and executes it.


In a Slingshot FAQ, the researchers wrote:

The researchers said Slingshot may have used other methods, including zero-day vulnerabilities, to spread. It has been active since at least 2012 and remained operational through last month. The ability for such a full-featured piece of malware to remain hidden for so long is one of the things that makes it so advanced.


One of the ways Slingshot concealed itself was its use of an encrypted virtual file system that was typically located in an unused part of the hard drive. By segregating malware files from the file system of the infected computer, Slingshot stood a much better chance of remaining undetected by antivirus engines. Other stealth techniques included encrypting all text strings in its various modules, calling system services directly to bypass so-called hooks used by security products, and the ability to shut down components when forensic tools are loaded.

The main purpose of the malware appears to be espionage. Kaspersky Lab’s analysis suggested Slingshot was used to log desktop activity and clipboard contents and to collect screenshots, keyboard data, network data, passwords, and USB connection data. The ability for Slingshot to access the operating system kernel means the malware had access to whatever data was stored on the hard drive or in the internal memory of an infected machine. Infected computers were located primarily in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania. Most of the victims appeared to be targeted individuals. Some, however, were government organizations and institutions.


Kaspersky Lab

Debug messages written in perfect English suggest that the developers spoke that language. As is typical for Kaspersky Lab reports, Friday’s report didn’t attempt to identify the developers of Slingshot other than to say they most likely worked on behalf of a nation-state.

“Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation,” company researchers wrote. “Its infection vector is remarkable—and, to the best of our knowledge, unique.”

Listing image by Wired UK/Shuttershock

Leave a Reply

Your email address will not be published. Required fields are marked *