Table of Contents

Malware News /

APT Slingshot Infection on The Roll Through Routers

Table of Contents

How Slingshot works?How to roll back ATPs and Infections like Slingshot?Conclusion

Recently at Security Analyst Summit renowned antivirus developer Kaspersky Lab found a cyber espionage threat malware called “Slingshot” that spies on user’s systems through routers.

Security Researchers at Kaspersky labs have discovered sophisticated spying-oriented malware that attack PCs through network routers. Nickname Slingshot, the malware forces a router to download malicious components and then launches a two-tier attack on a computer to collect data like photos and keystrokes. One tier runs low level code that provides deep access to the computer’s storage and memory while the other tier runs the user level code that coordinates the attack.

Must Read : GitHub DDoS Attack Survivor: What we learn from it

Thanks to defensive measures like an encrypted virtual file system, Slingshot is extremely effective at avoiding detection- so effective that no one spotted it for 6 years. Kaspersky suspects that Slingshot is the work of a government agency, as it rivals the cleverness of infamous spying malware like Regin.

The targets that include both individual and government bodies, are in a handful of countries that include Afghanistan, Iraq, Kenya and Turkey. And the threat isn’t over, while the manufacturer of the routers affected by Slingshot has addressed the problem, it’s not known if other routers are affected. If they are its possible that the spying campaign remains active to this day.

How Slingshot works?


                                                  Source: securelist

The initial loader swaps the authentic Windows library ‘scesrv.dll’ with an infected file of the same name and size. The DLL file then connects to an IP address and the designated Port starts downloading malicious content and runs it on victim’s machine.

Slingshot misuses the routers at first instance. It loads the number of modules onto the system. The first is Cahnadr – the kernel mode module and second is Gollum App – a user module. The two modules combine to gather information and to do data exfiltration. The Cahnadr can be made to execute number of malicious codes without system getting crashed. It provides access to hard drives and OS despite of using the antivirus or anti-malware.

Also Read : Hide and Seek: New Botnet Threat

How to roll back ATPs and Infections like Slingshot?

If you are a user of Latvian firm MikroTik Router or you are using WinBox router management software, get them updated to latest versions by contacting the router service provider or either by asking help from the support.

And rest you can use the anti-malware software that will prevent you from the attack. Anti-malware doesn’t ensure proper protection against threats like this. But, it will effectively lower the risk of attack.


The Slingshot theory is another attack where multiple mechanisms work together in combination to create a well-known cyber espionage platform.

The infection is very powerful, all the components combined from the attackers. Slingshot can switch off its mechanism when it will detect signs that indicates some research or detection.

This platform is created for elasticity, durability, and to avoid detection that explains why this malware wasn’t found from past 6 years. These techniques were earlier used in malware such as Turla and White Lambert.