Kaspersky Lab has published a shocking revelation of another government-support (not confirmed) spying tactic. Dubbed Slingshot malware, it is a well calculated malicious loader. Researchers have identified the changes malware does to an infected operating system: the virus replaces a legitimate Windows library “scesrv.dll” with an identical malicious version.
While “scesrv.dll” was the most commonly modified DLL, researchers also mention that “spoolsv.exe” can also be replaced. In addition to that, Slingshot also communicates with other modules (virtual file system, kernel-mode network sniffer and etc).
Slingshot loader downloads malicious components and steals data from victims’ computers
It is estimated that this malware has been active since 2012 and applied its secretive changes to thousands of people from all over the world. Even though the majority of Slingshot infections originated from a currently unidentified source, researchers have discovered one way that the virus uses to invade computer devices. It is stated that hackers would attempt to get access to Mikrotik routers. After that, crooks would place a component downloaded by Winbox Loader. As a result, administrators of compromised routers became infected.
The majority of the victims come from these countries: United Arab Emirates. Iraq, Kenyja, Libya, Yemen, Afghanistam, Jordan, Tanzania, Somalia, Turkey and a few others. Therefore, the attacks mostly focused on potential victims from Middle East and Africa. It is disturbing that the loader managed to download malicious components for 6 years.
However, security researchers are not shocked by this level of evasiveness. Slingshot malware is a highly sophisticated malware strain in general. Therefore, it would be naïve to expect that its defensive mechanism would suggest anything less than perfection. Of course, the standard malware-detecting habits did not expose Slingshot to their victims and left them completely in the dark.
Is Slingshot malware a creation of a state-agency?
The Slingshot malware can be described as the perfect spying tool. Why? According to Kaspersky, the infection can steal anything from an infected computer device. It can easily read passwords, has a feature of key-logging, tracks network traffic, and can even take screenshots on your screen.
This professional malware, designed to spy on people from a variety of countries, is not a creation of amateur hackers. The generation of such a virus had to require knowledge and experience. Soon enough, theories began circulating: everyone wanted to express their opinions about who might be accountable for the Slingshot malware. Kaspersky also had something to say about these possible creators. Given the complexity of the malware and its targets, researchers have highlighted that a security agency might have spread the Slingshot virus.
This would make sense: the targets of the spying tool are countries that are listed as potentially dangerous. The fight against terrorism involves a lot of spying and hacking operations, attempting to find out about the next targets. However, the true founders of Slingshot are still unknown. Nevertheless, this sensitive-data-stealing malware is definitely one of the most sophisticated malware threats we have seen this year.