Kaspersky Lab has uncovered the existence of a new cyber-espionage group that uses MikroTik routers to infect users with an attack that many researchers and analysts in this field have called very unique. Experts studying this case have codenamed the group behind the attack as Slingshot and according to latest evidence it is believed that the group started operations back in 2012. The group was still found to be active in Feb of 2018, so reports of the attacks can be trusted.
Experts from Kaspersky believe that because this group has been active for more than half a decade, they used extremely complex malware. The operations were very specifically targeted and Slingshot appeared to be different from the run of the mill cyber-criminal operation focused on profits. It is currently expected that Slingshot is a state-sponsored group different from other cyber-criminals.
Relied on Windows Exploits
One thing that impressed Kaspersky from the whole operation was level of complexity that Slingshot showed in their entire hacking process. The malware that they possessed was expensive to develop, may have required a lot of time to create, was sophisticated, had an innovative method of delivery and did not trigger any errors whatsoever. Although Slingshot did rely on classic Windows exploits for most of their cases, a few attacks that were different from the others were carried out through MikroTik routers.
The group made use of these routers as points for delivering the payloads to their desired targets. This was done through the use of Winbox Loader, which is an application by MikroTik, in helping users configure the routers. The app basically works by downloading DLLs from within the router itself. However, what Slingshot did was to replace these files with other malicious ones that infected the users when they reconfigured or configured their router through the app for Winbox Loader.
Researchers working on the events have found out that Slingshot usually infects users with two distinct families of malware, which include Cahnadr and GollumApp. Cahnadr is usually detected by researchers as NDriver.
For assistance with file recovery and ransomware removal, please contact MonsterCloud – cyber security experts for a professional ransomware removal.
