Despite infecting at least 100 computers worldwide, a malware remained hidden for six years. Named Slingshot, this stealthy malware has been discovered by security researchers at Kaspersky Lab. It spies on the victim’s computer and connects to the Mikrotik router and downloads some DLLs when the user runs Winbox Loader software (a utility used for Mikrotik router configuration). It replaces one of the libraries with a malicious one, which then downloads other malicious components, including two huge and powerful modules: Cahnadr, the kernel mode module, and GollumApp, the user mode module.
GollumApp is the most sophisticated module that contains nearly 1500 user-code functions. On the other hand, Cahnadr gives the attacker full control over the infected computer, without any limitations. Slingshot is able to steal successfully whatever it wants, including network traffic, screenshots, password, even keyboard strokes.
“Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation,” company researchers wrote. “Its infection vector is remarkable—and, to the best of our knowledge, unique.”
The malware can be fixed as of recent MikroTik router firmware updates. However, the biggest concern is right now that the other routers might be affected. if it happens, it’s very likely that the malware is still stealing data.