Slingshot APT Actor Shoots onto the Scene

Written by

A new advanced persistent threat (APT) has launched onto the scene, dubbed Slingshot. It’s taking aim at the Middle East and Africa, carrying out espionage activities via compromised routers.

According to Kaspersky Lab, the group has been active since at least 2012. It uses a custom malware to attack and infect victims through the routers and can run in kernel mode, giving it complete control over victims’ devices to stealthily collect information without being seen, researchers said. It also hides its traffic in marked data packets so that Slingshot can intercept everyday communications without being discovered.

The spy activities are myriad: Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more.

The firm said in an analysis that there have been around 100 victims of Slingshot, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Interestingly, victims seem to be individuals rather than organizations – though there are some government and institutional exceptions to that. Kenya and Yemen account for most of the victims observed so far, the firm said.

The attack vector is unusual and involves placing a malicious dynamic link library inside the impacted routers (how the routers are hacked in the first place is as yet unknown, according to Kaspersky) that is in fact a downloader for other malicious components. Despite appearing legitimate, the library module has malicious code embedded into it. When an administrator logs in to configure the router, the router’s management software downloads and runs the malicious module on the administrator’s computer.

After that, the module downloads various implants, including Cahnadr and GollumApp, which work together on information gathering, persistence and data exfiltration.

“The malicious samples investigated by the researchers were marked as ‘version 6.x,’ which suggests the threat has existed for a considerable length of time,” researchers said. “The development time, skill and cost involved in creating Slingshot’s complex tool set is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized, professional and probably state sponsored.”

The kernel mode modules have to date only been seen in the most advanced predators, according to Alexey Shulmin, lead malware analyst at Kaspersky Lab. “The functionality is very precious and profitable for the attackers, which could explain why it has been around for at least six years,” he added.

What’s hot on Infosecurity Magazine?