Researchers at Kaspersky Lab have discovered a clever bit of malware that has been hiding on routers for the better part of six years.
The malware has been christened Slingshot and it cleverly replaces a victim’s legitimate scesrv.dll file in the Windows library with a malicious one. To avoid detection the malicious file is exactly the same size as the original.
The researchers at Kaspersky Lab believe that the malware gains access to a victim’s PC via Mikrotik routers. It’s believed that a component downloaded by Winbox Loader (a management programme for Mikrotik routers) can infect the person working on the router.
The exact attack vector is not yet known but of the victims Kaspersky Lab has studied it’s believed that Slingshot’s route of infection is either the Windows DLL replacement or the Mikrotik vulnerability.
Once Slingshot has infected a host it gets to work, downloading other malicious components including two modules known as Canhadr and GollumApp which – among other things – grant Slingshot access to the kernel of a target PC.
What does it do and how did it hide?
Slingshot appears to have been developed for the purpose of cyber-espionage.
“Analysis suggests it collects screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard and more. But with full access to the kernel part of the system, it can steal whatever it wants – credit card numbers, password hashes, social security account numbers – any type of data,” said Kaspersky Lab.
To avoid detection Slingshot encrypts all strings in its modules, calls system services directly (to bypass security software) and employs a number of anti-bug techniques.
To extract data Slingshot uses legitimate call backs to hide its traffic showing the user clear data flowing through their channels.
So far Kaspersky Lab has spotted the malware in Middle East and African countries with the largest number of victims to date residing in Kenya and Yemen.
“Most of the victims appear to be targeted individuals rather than organisations, but there are some government organisations and institutions,” said Kaspersky Lab adding that Slingshot might be the work of state-sponsored actors.
Users of Mikrotik routers are advised to update to the latest software available as soon as possible. The firm adds that Winbox Loader no longer downloads anything from the router to a users computer in the latest version mitigating the threat somewhat.