Slingshot APT is the name given to a highly-sophisticated group of hackers responsible for the deployment of a complex data exfiltration threat. Due to the nature of its activities. infosec researchers believe that the goal of the Slingshot APT is corporate espionage. The methods used by the hackers show that they have spent considerable time crafting their malware toolkit. The activities of the group have continued from 2012 to at least 2018.
The attack platform established by Slingshot involves multiple stages and several vectors of compromise. One confirmed method was through Mikrotik routers that have been modified to include a corrupted component downloaded by the Winbox Loader, a legitimate management software used for Mikrotik configuration. When the user runs Winbox Loader, it connects to the compromised routers and downloads infected Dynamic LibraryFiles (.DLL) onto the computer of the victim. One of the .DLL files named 'ipv4.dll' acts as a dropper for additional malware modules by connecting to a hardcoded IP and port. The legitimate Windows library 'scesrv.dll' will be replaced with a corrupted pretender that has the exact same size.
The bulk of the harmful activity is performed by two sophisticated modules named 'Cahnadr' and 'GollumApp' that work in tandem. 'Cahnadr,' also known as Ndriver, is a kernel module responsible for low-level network routines, IO operations, etc. To embed its code at the kernel level, Slingshot abuses legitimate drivers with known vulnerabilities by loading them and running its code through the vulnerabilities (such as CVE-2007-5633, CVE-2010-1592, and CVE-2009-0824). Gaining access at such a low-system level allows the hackers to have near limitless control over the compromised computers. The attackers could easily bypass any protections implemented by the victim. It must be noted that 'Cahnadr' is capable of performing its threatening functions without crashing the system or causing a blue error screen.
The other Slingshot module - GollumApp, is far more complex, including over 1500 user-defined functions. It is tasked with setting up the persistence mechanism of the threat, the manipulation of the file system on the compromised device, as well as handling the communication with the Command-and-Control (C2, C&C) infrastructure.
Slingshot collects a significant amount of information from the compromised systems. The malware can obtain keyboard data, network data, USB connections, passwords, usernames, access the clipboard, take screenshots, etc. The fact that Slingshot has kernel-level access means that the attackers could potentially collect anything they want, such as credit/debit card details, social security numbers and passwords. All of the gathered data is exfiltrated through standard network channels. The malware hides its abnormal traffic in legitimate call-backs, performing checks for any Slingshot packages, and returning only the filtered normal traffic to the user and any potential sniffer applications that might be installed.