Researchers from Kaspersky Lab have discovered a malicious loader called Slingshot, which is actively attacking users through routers for last six years without being detected.
Typically, the routers download and run a number of DLL (dynamic link library) files from the devices. The attackers used routers to add a malicious DLL to the package of other legitimate DLLs. These malicious DLLs compromise the connected devices by targeting the memory.
The vulnerabilities were discovered in routers made by MikroTik. The users of MikroTik routers run WinBox Loader software for router connectivity. When this software is run, the device is connected to a remote server to download Slingshot malware. Researchers said that this malware includes two modules called Cahnadr and GollumApp, which enable data theft.
Cahnadr is a kernel mode module which handles the complete control of the infected computer to the attacker with no restrictions. It can execute malicious code in the system without causing a blue screen.
GollumApp is a user mode module which contains around 1500 user-code functions. Using these modules, Slingshot can harvest screenshots, keyboard data, network data, passwords, and desktop activities.
“What makes Slingshot really dangerous is the numerous tricks its actors use to avoid detection. It can even shut down its components when it detects signs that might indicate forensic research. Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive,” noted Kaspersky researchers.
The researchers also said that Slingshot is a complex malware and developers who built it might have spent a huge amount of time and money. “Its infection vector is remarkable – and, to the best of our knowledge, unique.”
The malicious activity was discovered into MikroTik routers, but the researchers said that routers of other brands too might be compromised.
The users of MikroTik routers and WinBox managing software need to update to the latest version to protect from attack vector.