A highly sophisticated cyberespionage campaign dubbed Slingshot has been uncovered by Kaspersky security researchers. The campaign targets MikroTik routers to compromise them and use as a springboard to attack victims’ computers, as the company revealed in last week’s Kaspersky Security Analyst Summit (SAS).
“Routers download and run various DLL files in the normal course of business. Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs. The bad DLL was a downloader for various malicious files, which were also stored in the router,” according to Kaspersky researchers.
Kaspersky already reported the issue to the router manufacturer MikroTik, who since fixed it. However, Kaspersky warns other router vendors may have fallen victim to Slingshot hackers and other devices may have been compromised.
Two malware instruments called Cahnadr and GollumApp were used by Slingshot in the campaign, as described in the report:
“Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer. Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions.”
Once devices are compromised, Slingshot can collect screenshots, keyboard data, network data, passwords, the clipboard, and much more.
Make sure to download the latest firmware/software updates for impacted routers as soon as possible. Also, implement advanced endpoint and network anti-malware and threat intelligence/management solutions to detect and mitigate APT threats.