🇺🇸

Slingshot

APT Group Information theft and espionage ETDA ✓

Also Known As

No alias recorded

Target Countries 15

Countries highlighted in red

Afghanistan Congo Germany Greece Iraq Jordan Kenya Latvia Libya Sudan Somalia Turkey United Republic of Tanzania United States Yemen

Sectors Targeted

National Security and International Affairs 928110 All Other Information Services 51919 Educational Support Services 6117 Computer Systems Design and Related Services 54151

Details

Origin 🇺🇸 US

Last Updated 01 Jun 2022

MITRE ATT&CK 36

T1003 T1021 T1027 - Obfuscated Files or Information T1033 T1036 T1037 T1047 T1049 T1055 - Process Injection T1059 - Command and Scripting Interpreter T1059.001 T1064 T1069 T1071 T1074 T1083 - File and Directory Discovery T1090 T1105 T1106 - Native API T1113 T1134 - Access Token Manipulation T1140 T1179 T1190 T1192 T1195 T1198 T1199 T1204 T1210 T1495 - Firmware Corruption T1497 T1505 T1547 - Boot or Logon Autostart Execution T1553 - Subvert Trust Controls T1562.001

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

Slingshot Kaspersky

Observed Target Countries 11

Based on ETDA data — countries highlighted in red

Afghanistan Congo Iraq Jordan Kenya Libya Somalia Sudan Tanzania Turkey Yemen

Description

(Kaspersky) While nalyzing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity. While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router. We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

Tools Used 4

Cahnadr GollumApp Slingshot WinBox (a utility used for MikroTik router configuration)

Reports & References 1

https://securelist.com/apt-slingshot/84312/

ETDA Profile

Slingshot

Origin

[Unknown]

First Seen 2012

Motivation

Information theft and espionage

View on ETDA APT Groups ↗