Kaspersky Lab has uncovered a highly complex – and probably state-backed – malware strain that infects users via compromised routers

Security researchers say they’ve discovered a strain of “highly sophisticated” malware that uses a unique attack vector.

Kaspersky Lab, which said it discovered the code last month, said it believes the strain has been active since at least 2012, successfully evading detection until now.

The ‘Slingshot’ malware, so-called after a word that appears in some of the malware’s samples, seems to have been developed by professionals, and is still active. Its development was probably backed by a nation-state, Kaspersky said.

When researchers identified the strain in February, the samples they found were marked ‘6.x’, with some code dating back to 2012, clues that suggest it’s been around for “a considerable length of time”.

State backer?

“The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high,” wrote Kaspersky researchers Alexey Shulmin, Sergey Yunakovsky, Vasily Berdnikov and Andrey Dolgushev in an advisory. “Taken together, these clues suggest that the group behind Slingshot is likely to be highly organised and professional and probably state-sponsored.”

The researchers said the state backer appears to be English-speaking, and they compared the software’s sophistication to that of Regin, which was allegedly used by the NSA and GCHQ to spy on Belgian telecoms company Belgacom and others.

Of the malware’s roughly 100 known targets, most are in Kenya and Yemen, with others in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most were individuals, with some government organisations and institutions.

Some targets were attacked via what Kaspersky called a “unique” vector that involved malicious drivers (DLLs) placed on routers made by MikroTik.

“Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs,” Kaspersky stated in a blog post. “The bad DLL was a downloader for various malicious files, which were also stored in the router.”

Information theft

Researchers said they don’t know how the attackers managed to initially compromise the routers involved.

MikroTik has been informed of the issue and has updated its software to resolve the problem, but Kaspersky believes other devices may also have been compromised.

The malware was found to be using extremely well-written modules, including kernel-mode module called Cahnadr that gives the attacker complete control over a system.

“Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen,” Kaspersky stated.

A user-mode module called GolumApp steals a wide variety of data, including passwords and keystrokes, without the need to exploit any zero-day vulnerabilities.

Slingshot goes to elaborate lengths to avoid detection, and can shut down its components shen it detects forensic research might be going on. It also uses its own encrypted file system.

Kaspersky advised users of MikroTik routers and WinBox managing software to download the latest software updates.

Do you know all about security? Try our quiz!