Infected Routers Spread Malware, Log Keystrokes

John Lister's picture

A security firm says malware that targets routers is so sophisticated it's highly likely a government is behind it. Dubbed "Slingshot," the malware appears to have been working for six years without detection.

The attack was on a specific brand of routers, namely Mikrotik. Although based in Latvia, its products have shipped around the world to business and home users.

The big problem was with an associated piece of software named Winbox, used to manage the router. The way Winbox works involves taking DLL files stored on the router itself and running them directly in the computer's memory. A DLL (dynamic link library) file is one that can be used by multiple applications simultaneously.

Keyboard Strokes Logged

In principle, this setup made router management run much more smoothly. The problem is that hackers were able to remotely access the routers and add rogue DLL files under the pretense of a software update. These files included two tools dubbed "Cahnadr" and "GollumApp," both of which captured and transmitted data while disguising the theft.

In most cases the data was from activity on the computer itself, such as information copied to the clipboard, or even logs of everything typed on the keyboard, including passwords.

The good news is that the bug that allowed the rogue updates has now been fixed, though users will need to perform a genuine update to the latest software.

Malware Well Hidden

The bad news is that the malware was considered exceptionally sophisticated, most notably in its ability to stay undetected.

This included both encrypting the data in the malware files and storing them in a separate part of the hard drive to the rest of the computer's files, both of which made it harder for security software to spot. In some cases, the malware was even able to spot when security tools were starting up and immediately stop operating to become less visible. (Source:

For now, it appears Slingshot was designed and used to target specific individuals and government organizations in Africa and Middle East. The two big fears are that Slingshot indicates a government may be funding and backing such a sophisticated attack, and that criminals could learn lessons from the attack to better target the general public. (Source:

What's Your Opinion?

Do you know whether your router's software is up to date? Is government-backed malware likely to be a growing problem? Is it a worry or a relief that such attacks appear to be highly targeted?

Rate this article: 
Average: 4.6 (10 votes)


Chief's picture

My Microtik log showed it had automatically updated on 3/8.
Thanks for the article. I hadn't moved that fast in a while.