Researchers on Tuesday unveiled a major discovery–malicious firmware that could entrap a wide range of residential and small-office routers into a network that surreptitiously funneled traffic to command-and-control servers maintained by Chinese state-sponsored hackers.
The firmware implant, revealed in a write-up from Check Point Research, contains a full-featured backdoor that allows attackers to establish connections and transfer files using infected devices, issue commands remotely, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. However, well-written C++ code takes a lot of effort to implement its functions in a “firmware-agnostic” manner, which means it would be easy to modify to run on other router models.
Not the ends, just the means
The main purpose of the malware appears to be to transmit traffic between an infected target and the attackers’ command and control servers in a way that obscures origins and contacts. With further analysis, Check Point Research eventually discovered that the control infrastructure was operated by hackers linked to Mustang Panda, an advanced persistent threat actor that both Avast and ESET security firms say works on behalf of the Chinese government.
“Learning from history, implant routers are often installed on random devices without any special attention, with the goal of creating a chain of nodes between the main infection and the real command and control,” Check Point researchers wrote in the short book. In other words, the infection of a home router does not mean that the homeowner was specifically targeted, but rather that it is only a means to an end.
Researchers discovered the implant while investigating a series of targeted attacks against European foreign affairs entities. The main component is a tailgate with the internal name Horse Shell. The three main functions of horse immobilization are:
- A remote shell to execute commands on the infected machine
- File Transfer To upload and download files to and from the infected device
- Data exchange between two devices using SOCKS5, a protocol for connecting TCP connections to an arbitrary IP address and providing a means for forwarding UDP packets.
SOCKS5 function appears to be the ultimate goal for transplantation. By creating a chain of infected machines that establish encrypted connections with only the two closest nodes (one in each direction), it is difficult for anyone who stumbles upon one to know the origin, final destination, or true purpose of the infection. As the Check Point researchers wrote:
An implant can transmit communication between two nodes. By doing this, the attackers can create a chain of nodes that will relay traffic to the command and control server. By doing this, the attackers can hide the final command and control, since each node in the chain contains information only about the previous and next nodes, each node is an infected machine. Only a few nodes will know the identity of the ultimate command and control.
By using multiple layers of nodes to tunnel the connection, threat actors can mask the source and destination of traffic, making it difficult for defenders to trace traffic back to C2. This makes it difficult for defenders to detect and respond to an attack.
In addition, a chain of infected nodes makes it difficult for defenders to disrupt communication between the attacker and C2. If one node in the chain is compromised or taken down, the attacker can still maintain communication with C2 by routing traffic through a different node in the chain.
Remember VPNFilter, ZuroRat, and Hiatus?
Using routers and so-called IoT devices to disguise control servers and secret proxy traffic is among the oldest tricks in the threat industry. Among the best known examples of other hacking campaigns borrowing this page from the playbook is one discovered in 2018 that uses VPNFilter. The malware was created by the Kremlin-backed APT28 (aka Fancy Bear) and was found to infect more than 500,000 network devices made by Linksys, Mikrotik, Netgear, TP-Link, and QNAP. VPNFilter offered a variety of functions, the chief of which was enabled by the “socks5proxy” module that turned the compromised device into a SOCKS5 VPN proxy server. Similar examples include malware called ZuoRAT, which was discovered last year infecting a large number of routers made by Cisco, Netgear, Asus, and DrayTek. Earlier this year, researchers discovered Hiatus, a sophisticated hacking campaign that diverted high-bandwidth routers from DrayTek SOCKS agents.
Check Point researchers still don’t know how the malicious implant gets installed on devices. The likely bet is that the threat actors are either exploiting hardware vulnerabilities or searching the Internet for devices that are protected with weak or default administrative passwords.
Although the only firmware image detected so far works only on TP-Link devices, there is nothing stopping threat actors from creating images that work on a much wider range of devices. This cross-platform ability results from implant architects integrating multiple open source libraries into their code. Libraries include Telnet for the remote shell, libev for event handling, libbase32 for Base32 binary data encoding and decoding, and the TOR smart list-based container list.
Other inspiration may come from projects, including the shadowsocks-libev server and the udptun UDP tunnel. The HTTP headers used were taken from open source repositories.
“Implanted components were detected in modified firmware images from TP-Link,” the researchers wrote. “However, they were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they may be included in different firmwares by different vendors.”
#Malware #turns #home #routers #proxies #Chinese #statebacked #hackers #Ars #Technica