Researchers have discovered a "highly sophisticated and complicated" malware threat that has managed to remain hidden for at least six years.
Kaspersky Lab researchers over the weekend revealed the so-called Slingshot advanced persistent threat (APT) had successfully targeted almost 100 victims in the Middle East and Africa since at least 2012.
The researchers said Slingshot uses an array of tools and techniques to carry out its attacks.
They were unable to pinpoint how Slingshot infected all of its targets, however in several cases the malware's operators targeted routers and used them as a springboard to attack computers within a network.
"The initial loader replaces the victim's legitimate Windows library 'scesrv.dll' with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others," Kaspersky Lab reported.
"While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router."
Slingshot likely used other methods - like zero-day vulnerabilities - to attack targets, Kaspersky Lab said.
After infection Slingshot downloads a variety of additional modules onto the victim device. The two most powerful modules - GollumApp and Cahnadr - are connected and can support each other in gathering data.
Slingshot appears targeted towards espionage; Kaspersky Lab said the malware was used to log desktop activity, steal data from the clipboard, and collect information about open windows, keyboard data, and network data, among other things.
The malware uses an encrypted virtual file system normally housed in an unused part of the hard drive to remain undetected, one of several concealment techniques.
Kaspersky has labelled Slingshot one of the most advanced attack platforms ever uncovered, rivalling Project Sauron and Regin in complexity.
"The discovery of Slingshot reveals another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber espionage platform," Kaspersky Lab wrote.
"The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor."
The firm did not identify the developers of the malware, noting only that most of the platform's debug messages were written in perfect English, and references in the malware to Lord of the Rings suggested an appreciation of. J R.R. Tolkien.
"Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation," Kaspersky Lab wrote.
"Its infection vector is remarkable—and, to the best of our knowledge, unique."
