The Chinese state-sponsored hacking outfit “Camaro Dragon” attacks household TP-Link routers with bespoke “Horse Shell” malware to attack European foreign affairs organizations. Hackers use backdoor virus in custom firmware for TP-Link routers to launch assaults from home networks.
According to Check Point research, this attack targets residential and home networks, not important networks. Thus, infecting a home router does not always suggest that the homeowner was a target, but rather that the attackers used it as a tool.
The software lets threat actors run shell commands, upload and download data, and use the device as a SOCKS proxy to communicate between devices.
Check Point Research identified the Horse Shell TP-Link firmware intrusion in January 2023. The hackers’ behavior aligns with the Chinese “Mustang Panda” hacking outfit recently disclosed in Avast and ESET publications. Check Point calls this activity cluster “Camaro Dragon” despite its similarity to Mustang Panda.
The attackers’ server IP addresses, requests with hard-coded HTTP headers found on various Chinese websites, many typos in the binary code that indicate the author isn’t a native English speaker, and the trojan’s functional similarities to the APT31 “Pakdoor” router implant led to the attribution.
Check Point believes attackers infect TP-Link routers with the malicious firmware image by exploiting a vulnerability or brute-forcing administrator credentials. Threat actors can remotely upgrade the device with custom firmware after gaining admin access to the administrative interface.
Check Point identified two trojanized TP-Link router firmware images with considerable alterations and file additions. Check Point detected identical kernel and uBoot parts in the infected TP-Link firmware. The firmware used a modified SquashFS filesystem with Horse Shell backdoor malware components.
“We use Horse Shell to name the implant because parts of it are internally named.” Check Point says the implant offers remote shell, file transfer, and tunneling. When initialized, the Horse Shell backdoor implant tells the OS not to terminate its process when SIGPIPE, SIGINT, or SIGABRT commands are issued and to become a daemon.
The backdoor then sends the victim’s system profile to the command and control (C2) server, including the user name, OS version, time, device information, IP address, MAC address, and available implant capabilities.
The researchers say the Horse Shell firmware implant is firmware-agnostic and might function in firmware images for other routers from different vendors.
State-sponsored hackers commonly target poorly secured routers, which botnets use for DDoS attacks and crypto-mining. Routers are sometimes disregarded while establishing security measures and can serve as a stealthy launchpad for assaults, hiding the attacker’s origin.
Users should update their router firmware and change the default admin password. More importantly, restrict access to the device’s admin panel to the local network.
Chinese hackers implanted Fortinet VPN and SonicWall SMA routers with modified firmware. Recently, the UK NCSC and US CISA reported that Russian state-sponsored threat actors were also accessing Cisco routers to install proprietary malware.
Threat actors can exploit these devices without EDR (Endpoint notice and Response) security solutions to steal data, spread laterally, and launch more attacks without notice.
“There’s a recurring theme of continued China-nexus cyber espionage focus on network appliances, IOT devices, etc. that don’t support EDR solutions,” Mandiant CTO Charles Carmakal told BleepingComputer.
Network admins must apply all security patches on edge devices immediately and not publicly disclose management consoles.
Conclusion
Since January 2023, a new round of sophisticated and targeted attacks against European foreign affairs entities is suspected of having ties to the Chinese government actor Mustang Panda. According to Itay Cohen and Radoslaw Madej of Check Point, their investigation into these intrusions uncovered a unique firmware implant made for TP-Link routers. “The implant features several malicious components, including a custom backdoor named ‘Horse Shell,’ which allows the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,” the firm claimed. The implant’s components can be integrated into multiple suppliers’ firmware thanks to its “firmware-agnostic” design.
The Israeli cybersecurity company is keeping tabs on the attack organization called variously as Camaro Dragon, BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. It is presently unknown how the compromised firmware images were deployed to the infected routers or if they were used in any actual attacks. It’s possible that the initial entry was gained by exploiting a security hole or by brute-forcing devices using their factory settings or other simple passwords. The C++-based Horse Shell implant is known to allow attackers to perform arbitrary shell commands, transfer files to and from the router, and act as a communication relay for two clients. However, the router backdoor is speculated to attack random devices on private and residential networks, turning the compromised routers into a mesh network with the intention of establishing a “chain of nodes between main infections and real command-and-control.”
