A Chinese state-sponsored hacking group called “Camaro Dragon” has infected TP-Link residential routers with a custom “Horse Shell” malware used to attack European foreign affairs organizations.
The backdoor malware is deployed in a custom, malicious firmware designed specifically for TP-Link routers so that hackers can launch attacks that appear to originate from residential networks.
“It is noteworthy that this type of attack does not specifically target sensitive networks, but rather ordinary residential and home networks,” the Check Point report states.
“Therefore, the infection of a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers.”
Disseminated malware allows threat actors full access to a device, including running shell commands, uploading and downloading files, and using it as a SOCKS proxy to relay communication between devices.
The Horse Shell TP-Link firmware implant was discovered by Check Point Research in January 2023, which says the hackers’ activity overlaps with the Chinese “Mustang Panda” hacking group recently detailed in Avast and ESET reports.
Check Point tracks this activity separately using the name “Camaro Dragon” for the group of activities despite the similarities and significant overlap with the Mustang Panda.
Attribution was made based on the attackers’ server IP addresses, requests that return hard-coded HTTP headers found on several Chinese websites, several typos in the binary code that show the author is not a native English speaker, and functional similarities between the APT31 router trojan “Pakdoor”.
TP-Link firmware implantation
Although Check Point did not specify how the attackers infected TP-Link routers with the malicious firmware image, they said it could be through exploiting a vulnerability or forcing administrator credentials.
Once the threat actor gains administrator access to the management interface, he can remotely update the device using the custom firmware image.
Through investigation, Check Point found two trojan firmware image samples for TP-Link routers, both containing extensive modifications and file extensions.
Check Point compared the malicious TP-Link firmware to a legitimate version and found that the kernel and uBoot partitions are the same. However, the malicious firmware used a custom SquashFS file system that contains additional malicious file components that are part of the Horse Shell’s backdoor malware implant.
Check Point explains: “Parts of it are internally named Horse Shell so we use it to name the implant as a whole. The implant provides the attacker with 3 main functions: remote shell, file transfer, and tunnel creation.”
The firmware also modifies the administrative web panel, preventing the device owner from flashing a new firmware image to the router and ensuring that the infection persists.
Horse shell back door
When the Horse Shell backdoor implant is initialized, it will instruct the operating system not to terminate the process when SIGPIPE, SIGINT, or SIGABRT commands are issued, and turn it into a daemon to run in the background.
The backdoor will then contact the command and control (C2) server to send the victim’s device profile, including username, OS version, time, device information, IP address, MAC address, and supported implant features.
Horse Shell will now run quietly in the background waiting for one of the following three commands:
- Launch a remote shell that provides threat actors full access to the compromised device.
- Perform file transfer activities, including upload, download, basic file handling, and directory enumeration.
- Start the tunnel to obfuscate the origin and destination of network traffic and hide the C2 server address.
The Horse Shell firmware implant isn’t firmware-dependent, researchers say, so it could theoretically work in other routers’ firmware images by different vendors.
It is not surprising to see state-sponsored hackers targeting poorly secured routers, often targeted by botnets for DDoS attacks or cryptocurrency mining. This is because routers are often overlooked when implementing security measures and can act as a stealth launch pad for attacks, masking the attacker’s source.
Users are advised to apply the latest firmware update for their router model to patch any existing vulnerabilities and change the default admin password to something strong. However, and most importantly, disable remote access to the device admin panel and make it accessible only from the local network.
recurring theme
Networking end devices have become a popular target for state-sponsored threat actors, with Chinese hackers previously targeting Fortinet VPN and SonicWall SMA routers with custom firmware.
Recently, UK cybersecurity agencies and CISA in the UK warned that Russian state-sponsored threat actors were also hacking into Cisco routers to install custom malware.
Because these devices typically do not support EDR (Endpoint Detection and Response) security solutions, threat actors can use them to steal data, propagate laterally, and perform more attacks with less chance of detection.
“There is a recurring theme of focus on ongoing China-China cyber espionage on network devices, IoT devices, etc. that do not support EDR solutions,” Charles Carmackal, CTO of Mandiant, told BleepingComputer.
For this reason, it is imperative that network administrators install all available security patches on high-end devices as soon as they become available and not publicly expose administrative consoles.
#Hackers #infect #TPLink #router #firmware #attack #entities