Slingshot router malware

I just learned about a newly discovered router malware nicknamed Slingshot thanks to the alert writers at engadget. So far it’s only been identified on MikroTik routers (presumably running factory firmware). Please see link below. I just wanted to check if anyone knows whether routers running the latest version of OpenWRT/LEDE firmware are protected?

KR

First read is "unlikely" as there is no Windows-based management tool for OpenWRT/LEDE

The exact method used by Slingshot to exploit the routers in the first instance is not yet clear. When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.

Source: https://securelist.com/apt-slingshot/84312/ as linked from https://www.kaspersky.com/blog/web-sas-2018-apt-announcement-2/21514/

Detailed report: https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf

Depends on your definition of "management tool".

I can do quite a bit with WinSCP (get root access, copy, edit and delete files, change permissions, etc,)

Of course but:

So You do it manually not automaticaly at connect. So You have to know what to download and run on Windows box. As You could read, Slingshot works on Windows boxes and routers are only compromised for 'poisoning' workstations.

From BleepingComputer...

Source is always better than reprint :slight_smile: . From The Slingshot APT FAQ:

How exactly does infection happen?
The exact method used by Slingshot to exploit the routers in the
first instance is not yet clear. When the target user runs Winbox Loader
software (a utility used for Mikrotik router configuration), this
connects to the router and downloads some DLLs (dynamic link libraries)
from the router’s file system.

So the targets are Windows boxes, routers are only a tool for infecting. But "the clue" is how Microtic's routers were compromised?
And the second question: is only RouterOS vulnerable or also others embedded systems?

Are Mikrotik the only affected routers?
Some victims may have been infected through other routes. During our
research we also found a component called KPWS that turned out to be
another downloader for Slingshot components.

At the moment it's not clear...

:sunny: The devil is in the detail, and there is not really much detail other than the attack vector is the Winbox Component that injects a malicious military grade windows service preloaded in the router.

Kaspersky: While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

Advice to users: snap in half the CD that comes with the router and stick to using the web interface. Better, replace the router's firmware with OpenWrt/LEDE and use SSH.

While I won't challenge or speculate your point of view...since you claim it's military...who's its 'target' (...and why)???

From theregister link:

The researchers found only around 100 infections and the vast majority were in Africa and the Middle East, with Kenya and Yemen showing the most compromised systems.

...makes you think.

:thinking:

Maybe they just testing/polishing "final weapon" used and undetected in another regions...

@lleachii - The trojan seems more like a spooks toolkit that farms local environment variables and traffic activity. It's certainly too heavyweight to just be some banking bot released by teenagers. Likely it's some cyber weapon in the war on terror.

@bimmerguy and everyone else, some interesting thoughts on the exploits of Microtik routers... on Github.

1 Like