It may not boast the highest victim count of all PC malware — that honor goes to the ILOVEYOU virus, which affected an estimated 10 percent of all PC users — but the newly discovered Slingshot virus is certainly one of history’s most insidious. Lurking on the web for more than six years, the malware has burrowed into PCs around the world through an unlikely source: internet routers. Is your PC infected? Is your router vulnerable? Read this guide to find out.
How Slingshot Attacks
Slingshot’s full name is Slingshot APT because the malware is an advanced persistent threat. Unlike some viruses, such as ransomware, that make themselves known almost immediately upon infiltration, Slingshot commits stealthy, ongoing attacks.
Slingshot primarily gains entry to devices through compromised Mikrotik routers. When users first configure their routers, their devices run software to download dynamic link libraries (DLLs). One of those DLLs, ipv4.dll, seems to be a downloader for some of Slingshot’s components. Once these components are run, they download and install other components, including vulnerable drivers which can be used to operate code in kernel mode, which gives the malware total control over the computer.
Once Slingshot is complete, it loads a number of modules that operate in both kernel and user modes. These modules support one another in information gathering, data exfiltration, and persistence. One of these modules, named Canhadr/Ndriver, boasts the remarkable achievement of gaining full access to memory and hard drive as well as executing malicious code without crashing the file system or causing a Blue Screen.
The reason so much of Slingshot has remained secret is that it was intended to be exceedingly stealthy. Slingshot has encrypted all strings in its modules and is able to bypass all hooks in security products. What’s more, Slingshot can shut down its components when it notices signs of an in-system event which might cause detection. Though experts are now aware of Slingshot, there are still many questions surrounding its method of attack. The most significant known unknown is: How does Slingshot exploit the Mikrotik routers in the first place? Experts remain unclear on this element of the attack, and until they understand it, the attacks could continue.
What Slingshot Wants
Like other APT attackers, Slingshot wants one thing: information. In fact, almost all APT malware is government-based, and Slingshot, too, seems to be designed for cyberespionage. Slingshot’s kit allows it to collect all data on infected devices; analysis has determined that the malware takes screenshots, logs keystrokes, learns passwords, monitors network data, observes USB connections, and saves information copied to the clipboard. However, experts don’t doubt that Slingshot has also noted credit card numbers, social security account numbers, and any other type of data available on a device.
Where to Set Defenses
Slingshot has been in operation since 2012, but only about 100 users have been targeted by the attack, and these in far-flung countries like Kenya, Yemen, Congo, Iraq, Tanzania, and Jordan. Individuals, rather than organizations, are more often victims — but other than this, there is little telling why some people have been hit and others haven’t.
For now, most users can remain safe from Slingshot by avoiding Mikrotik routers for the time being.Now that Slingshot has been discovered, it is likely that the best PC protection software will adapt to defend users against this threat and others. Because Slingshot does not utilize zero-day vulnerabilities, advanced security tools should soon be well-equipped to detect and eliminate Slingshot infections.
Why Slingshot Is Scary
While Slingshot is undeniably dangerous, many security experts are as troubled as they are impressed by the malware’s complexity and uniqueness. It is obvious that Slingshot’s creators invested ample time and resources to its creation, and though it has not spread as wide as some malware, it has likely succeeded in many of its goals.
Unfortunately, almost nothing is known about the group behind Slingshot save their abundant resources and expert skill. It was not a single black-hat hacker working alone; it was likely a large, state-sponsored organization that has been developing Slingshot for more than a decade. Thus, even in the unlikely event that experts identify the precise actors, they will likely not come to any serious repercussions — and the machine behind them will not stop churning out Slingshot-like malware. In the emerging cyberwar, cyberespionage is to be expected.