The Terrifying World of the Slingshot Virus


On March 9, 2018, Kaspersky Labs published a blog post about the newly discovered Slingshot APT. APT stands for advanced persistent threat; its a computer virus that sits on a computer for a long time, has built in tools to avoid detection and is thought to have specific targets. The Stuxnet virus is a good example of an APT; if the infected computer didn’t have a specific piece of software installed that controlled a nuclear centrifuge, the Stuxnet virus would shutdown and appear harmless to virus scanners. Most of the viruses pushed by cyber-criminals are designed to infect as many computers as possible and create monetary incentives to remove the software. A good example of a non APT virus is ransomware which encrypts a hard drive, and the cybercriminal requests payment to unlock your data. Slingshot appears to be designed as a spying tool with its built in network packet sniffer, keylogger, screenshot function, and ability to steal clipboard data. Slingshot also has about 1500 other functions that virus experts are just beginning to unravel but the already discovered functions are devastating,

  1. Network Packet Scanner: Imagine you visit a website on a computer that isn’t infected by Slingshot but it is on the same network as an infected computer. A packet scanner copies and decodes information from the non infected computer that is being passed through the network. This includes usernames, passwords, computer name information, copies of files and other such data.
  2. Keylogger: A keylogger logs every key that is pushed on the target keyboard. Imagine you click your browser address bar and type in and enter. Next you put in your username and password on the next screen. Even if a keylogger doesn’t see your screen, the three pieces of information that it just captured is enough to allow a hacker to login to your email account
  3. Screenshot: Many readers are familiar with screenshot technology, but imagine information not captured by the packet scanner and keylogger such as inbox email can be captured by a screenshot of the email as you read it
  4. Clipboard data: even if the screenshot grabber doesn’t get all the emails, there are times that an individual uses the copy feature from an email or webpage that contains sensitive information that a keylogger also won’t pickup but copying the clipboard data to a file exposes the user to additional leaks of data.

So why is this virus scarier than all other viruses that have similar functions? The fact that this virus has just been discovered publicly despite evidence of installations at least as early as 2012, means that its anti detection features are extremely sophisticated and it is possible that the virus captured data from millions of unknown computers for at least six years. In addition, Slingshot installs an encrypted virtual operating system that is undetected by Windows. Meaning, the virus carves a piece of the hard drive to install a second operating system which windows is unable to see. The virtual operating system is very stable and it works in tandem with a second virus that is installed on the Windows user level.

While Kaspersky says that so far infections were only detected on 100 computers in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania, the first comment on the blog mentions that the code infected the commenter’s personal network using an American router and ISP, Xfinity Comcast. Kaspersky also predicts that the creator of the virus is likely a state actor rather than an ordinary cybercriminal. I want to remind users that Israeli hackers recently hacked some Russian spies and determined that Kaspersky’s anti virus software was utilized by Russia to hack and search computers throughout the World for American intelligence programs.

I believe that in the coming months and years when this virus is unraveled a bit more, it is likely that the second operating system allows a hacker to listen in on conversations using computer microphones and webcams, allows the hacker to login to the computer remotely to view the screen in realtime and copy data directly from connected drives. Basically such a virus would be the ultimate spy, creating a network of information for a state to monitor anyone remotely without the need for human assets.  As a computer forensics expert, Slingshot opens up a whole world of unknowns that should be interesting to track. Any individual being accused of a computer crime should at least attempt to argue that Slingshot or similar software could have downloaded offending pictures or incriminating evidence and possibly create reasonable doubt. How do you think such an argument would play out in court? Post your responses in the comments below.