Skip to main content

Kaspersky uncovers major new malware attack targeting routers

(Image credit: Image Credit: 3844328 / Pixabay)

A new strain of sophisticated and likely state-sponsored malware has been discovered that spies on users through their routers

Security researchers at Kaspersky Lab discovered the malware, nicknamed Slingshot, that targets MikroTik routers through a multi-layer attack utilised to spy on users' PCs. 

The attack begins with the malware replacing a library file with a malicious version used to download other components.  Slingshot then launches an attack on two fronts with Canhadr running low-level kernel code that lets it operate across a system and the GollumApp which focuses on the user-level, managing the file system to ensure the malware survives. 

Kaspersky offered further explanation on how the Slingshot malware operates in a blog post, saying: 

“Among the malware Slingshot used were two masterpieces: a kernel mode module called Cahnadr and GollumApp, a user mode module. Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer. Furthermore, unlike the majority of malware that tries to work in kernel mode, it can execute code without causing a blue screen. The second module, GollumApp, is even more sophisticated. It contains nearly 1,500 user-code functions.” 

Slingshot protects itself by storing all of its malware files within an encrypted virtual file system and by encrypting every text string used in its modules.  The malware also actively avoids scans by security software by calling its services directly and shutting down components when it detects active forensic tools. 

Unlike other less sophisticated pieces of malware, Slingshot is able to steal keystrokes, passwords, screenshots and almost any information it wants from a users' system because of how well it was designed to avoid detection which is why it has existed on the web since 2012. 

MikroTik has released updated firmware for its routers which should prevent the malware from spreading further though the level of sophistication behind Slingshot shows just how advanced the methods employed by hackers have become.     

Image Credit: 3844328 / Pixabay

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.