Researchers have uncovered new malware that has apparently been used to spy on victims in the Middle East and Africa for six years undetected.
A report from Moscow-based Kaspersky Lab details how a threat it’s calling “Slingshot” has been infecting victims, collecting a wide variety of data and exfiltrating it in a covert fashion. The company says the threat is likely the work of a resource-rich government.
“Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable – and, to the best of our knowledge, unique,” the researchers write in the report, released Friday.
Kaspersky says the APT has been active as far back as 2012 and was still active as of February this year. Slingshot is apparently so sophisticated that Kaspersky has labeled it an advanced persistent threat (APT).
The researchers say that Slingshot’s infection vector for most victims is unknown, but that in some cases the attackers gained access to and deployed the malware through routers manufactured by MikroTik, a Latvian company. In those cases, the victims unknowingly download a dynamic link library (DLL) from the router that was placed by the APT. From there, the DLL continues to download other malicious components.
Notably, the Slingshot malware framework can gain control of computers at the kernel level, giving the group complete control of a victim’s device. It does this by loading vulnerable drivers into the computer and running its own code through the router vulnerabilities, Kaspersky researchers say.
Having kernel access means Slingshot can collect whatever information it wants. Kaspersky analysis shows that the malware is configured to collect a wide swath of data from victims’ computers, including screenshots, keystrokes, networking information, user passwords, USB connection and clipboard information, among other things.
Another unique trait to Slingshot is how stealthy it is. It employs techniques to bypasses security products, and it encrypts all strings — the individual command lines — in its modules. Slingshot also has the ability to make sure its components can finish their tasks before the system is shut down, which Kaspersky says is probably to avoid detection in the case of a technical computer forensic investigation.
So far, the researchers say they have identified at least 100 victims, for the most part based in Kenya and Yemen, as well as Afghanistan, Libya, Democratic Republic of Congo, Jordan, Turkey, Iraq, Sudan, the United Arab Emirates, Mauritius, Somalia and Tanzania. Nearly all of these countries have been involved in recent years with Western governments on foreign counterterrorism efforts.
There are some limited hints that suggest SlingShot may be connected to another APT group, the Equation Group, which is widely believed to be associated with the U.S. government. Code overlaps between past Equation Group-linked activity shows a relationship could exist, although the evidence is far from conclusive.
Even so, Kaspersky researchers say they aren’t able to attribute Slingshot to an already known threat group. But text within Slingshot’s code is written in perfect English, with apparent references to J. R. R. Tolkien’s Lord of the Rings. Kaspersky says in a press release that Slingshot’s sophistication suggests that the attackers behind it are “professional and probably state-sponsored.”
“The malware is highly advanced, solving all sort of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the researchers write. “All this framework is designed for flexibility, reliability and to avoid detection, which explains why these components were not found for more than six years.”
Kaspersky’s visibility into Slingshot’s worldwide impact is limited and so it’s likely that they’re only aware of a subset of the group’s wider activity. There may also be attack vectors aside from MikroTik routers. Kaspersky says it has given MikroTik all its information and that MikroTik’s software no longer downloads anything from the users’ routers to their computers.