iTnews reports Slingshot, a highly advanced malware, has remained hidden for six years and was just recently discovered:
They were unable to pinpoint how Slingshot infected all of its targets, however in several cases the malware’s operators targeted routers and used them as a springboard to attack computers within a network.
“The initial loader replaces the victim’s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others,” Kaspersky Lab reported.
“While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.”
Slingshot likely used other methods – like zero-day vulnerabilities – to attack targets, Kaspersky Lab said.
After infection Slingshot downloads a variety of additional modules onto the victim device. The two most powerful modules – GollumApp and Cahnadr – are connected and can support each other in gathering data.
Slingshot appears targeted towards espionage; Kaspersky Lab said the malware was used to log desktop activity, steal data from the clipboard, and collect information about open windows, keyboard data, and network data, among other things.
Considering Slingshot is targeting espionage, it may be backed by nation state actors. Now the questions is: which nation state stands to benefit from spying on, and exfiltrating data from, the thus-far identified victims in the Middle East and Africa since 2012?
One local sophisticated player comes to mind: Iran.