Kaspersky researchers have uncovered a sophisticated advanced persistent threat (APT) group that has remained under the radar since at least 2012, using complex techniques that have allowed them to execute extensive cyber intrusions. This group has leveraged a sophisticated malware variant known as **Slingshot**, which has reportedly compromised hundreds of thousands of devices primarily in the Middle East and Africa by infiltrating home and office routers.
In a detailed 25-page report, Kaspersky detailed how this group exploited previously unknown vulnerabilities in the routers manufactured by Latvian-based hardware provider Mikrotik. This initial access served as a gateway to deploy spyware on victim systems. While specifics of how the routers were compromised remain unclear, Kaspersky suggests that insights from the WikiLeaks Vault 7 CIA leaks, particularly concerning the ChimayRed exploit, may have facilitated these attacks.
The compromised routers were instrumental in the attacker’s strategy. They manipulated a dynamic link library (DLL) file within the router’s file system, which would execute its malicious payload directly into the memory of computers running the legitimate Mikrotik Winbox Loader software. This management tool, designed for Windows users to configure their routers, becomes an unwitting conduit for the Slingshot malware.
Once activated, Slingshot’s malicious DLL establishes a connection with a remote server to download additional malicious components. The malware consists of two primary modules: Cahnadr, a kernel mode module, and GollumApp, a user mode module. These function together to gather information, persist in the environment, and exfiltrate data back to the attackers.
Cahnadr provides functionalities essential for manipulating system operations without triggering significant disruptions. According to Kaspersky, this kernel-mode program can execute malicious code efficiently, avoiding detection mechanisms commonly associated with system crashes. Written in C, Cahnadr grants comprehensive access to system resources and can enact changes to system components to thwart detection efforts.
On the other hand, the GollumApp module is particularly advanced, offering a suite of espionage tools. This module is capable of capturing screenshots, logging keystrokes, retrieving stored passwords from browsers, and maintaining real-time communication with command-and-control servers. The crux of its effectiveness lies in its ability to run in kernel mode and launch additional processes with elevated SYSTEM privileges, granting attackers significant control over compromised systems.
Although Kaspersky has not definitively associated this hacking group with any nation-state, the level of sophistication exhibited—along with its targeted approach—suggests an English-speaking, state-sponsored origin. The researchers emphasize that the methods employed in the Slingshot campaign are intriguing and reflect a considerable investment in both time and resources.
Victims of this cyber assault include a range of individuals and some government entities across various countries such as Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan, and the United Arab Emirates.
The techniques employed in this attack illustrate a sophisticated use of tactics outlined in the MITRE ATT&CK framework, notably in areas such as initial access via exploitation of vulnerabilities, persistence through malicious DLL injections, and data exfiltration capabilities that ensure sustained operational access.
As cybersecurity threats evolve, incidents like the Slingshot campaign serve as a reminder of the critical importance for businesses to remain vigilant and proactive in fortifying their digital defenses against increasingly sophisticated adversaries.