Security researchers at Kaspersky Lab have discovered a rather nasty malware strain that has been hiding in certain wireless routers for over half a decade. Called Slingshot, the security researchers who discovered the malicious code believe the malware is part of a sophisticated cyberespionage campaign.
The malware is present in certain routers manufactured by MicroTik, though Kaspersky says it might also be affecting models by other brands as well. Part of what makes Slingshot particularly dangerous is that it uses a trick to run in kernel mode. This is almost impossible do to in updated operating systems, though Slingshot manages the feat by searching computers for signed vulnerable drivers, and then uses them to run its own malicious code.
"What makes Slingshot really dangerous is the numerous tricks its actors use to avoid detection. It can even shut down its components when it detects signs that might indicate forensic research. Furthermore, Slingshot uses its own encrypted file system in an unused part of a hard drive," Kaspersky says.
When running in kernel mode, Slingshot can give attackers complete control of the system without any limitations whatsoever. And unlike the majority of malware that tries to run in kernel mode, Slingshot can execute without crashing the system or causing a blue screen error.
There is also a user module aspect to Slingshot. This is described as being even more sophisticated, as it contains nearly 1,500 user code functions.
According to Kaspersky, Slingshot primarily focuses on spying activities, such as collecting screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard contents, and more. And with full access to the kernel part of the system, attackers can essentially steal whatever they want, including credit card numbers, password hashes, social security account numbers, and anything else that is inputted and/or accessible.
Kaspersky has MicroTik aware of the malware and recommends that anyone using a MicroTik router to upgrade the firmware to the latest version as soon as possible. That advice is a good security practice regardless of your brand of router.