It may not boast the highest victim count of all PC malware — that honor goes to the ILOVEYOU virus, which affected an estimated 10 percent of all PC users — but the newly discovered Slingshot virus is certainly one of history’s most insidious. The malware has been lurking on the internet for six years and infected computers all over the globe through an unlikely source: internet routers. Is your PC infected? Is your router at risk? This guide will help you find out.
How Slingshot Attacks
Slingshot is a persistent, advanced malware. Slingshot is not like other viruses such as ransomware that are immediately known to infiltrate your computer. Instead, it continues its attacks stealthily.
Slingshot gains access to devices primarily through compromised Mikrotik routers. Users configure their routers to run software that downloads dynamic link libraries (DLLs) when they first connect. One of those DLLs is ipv4.dll. This seems to be a downloader of some components of Slingshot. After these components have been run, they install and download other components. This includes vulnerable drivers that can be used to execute code in kernel mode. This gives the malware complete control of the computer.
Once Slingshot has been completed, it loads many modules that can operate in both the kernel and user modes. These modules work together in data extraction, persistence, and information gathering. Canhadr/Ndriver is one of these modules. It has the amazing ability to gain full access memory and hard drives, as well as execute malicious code without crashing or causing a Blue Screen.
The reason that so much of Slingshot is kept secret is because it was designed to be extremely stealthy. Slingshot can bypass security products’ hooks by encrypting all strings and modules. Slingshot can also shut down its components if it detects an in-system event that might lead to detection. Although experts now know about Slingshot’s attack method, many questions remain. The biggest unknown is how Slingshot exploits Mikrotik routers. Experts are still unsure about this aspect of the attack and they may not fully understand it.
What Slingshot Wants
Slingshot, like other APT attackers is looking for information. Slingshot seems to have been designed for cyberespionage. Nearly all APT malware is government-based. Slingshot’s tool allows it to gather all data from infected devices. Analysis has shown that Slingshot takes screenshots, logs keystrokes and learns passwords. It also monitors network data, watches USB connections, and copies information to the clipboard. Experts don’t doubt Slingshot also recorded credit card numbers and social security numbers.
Where to Set Defenses
Slingshot has been in operation since 2012, but only about 100 users have been targeted by the attack, and these in far-flung countries like Kenya, Yemen, Congo, Iraq, Tanzania, and Jordan. Often, individuals are the victims, but not organizations. Other than that, it is difficult to know why certain people have been attacked.
For now, users can stay safe from Slingshot infections by avoiding Mikrotik routers. Advanced security tools will soon be able to detect and eradicate Slingshot infections, as Slingshot doesn’t use zero-day vulnerabilities.
Why Slingshot is Scary
While Slingshot is undeniably dangerous, many security experts are as troubled as they are impressed by the malware’s complexity and uniqueness. Slingshot’s creators clearly spent a lot of time and resources creating it. Although it hasn’t spread as widely as other malware, many security experts are impressed by its uniqueness and complexity.
Unfortunately, little is known about the people behind Slingshot, aside from their vast resources and skilled skills. It wasn’t a single hacker who was able to create Slingshot, but a group of state-sponsored hackers that had been working on it for over a decade. Even if experts are able to identify the actors, it is unlikely that they will face any serious consequences. The machine behind Slingshot will continue to produce similar malware. Cyberespionage in the cyberwar is to be expected.