A Chinese APT group known for using custom malware and plugins has recently been deploying malicious firmware images for some TP-Link routers in a campaign that has targeted government officials in European countries.
The modified firmware images have been found only on TP-Link routers thus far, but researchers at Check Point who discovered the campaign say that the firmware has been modified in such a way that it could be installed on other similar routers, as well. The installation of the firmware includes the addition of a malicious implant called Horse Shell that gives the attackers a reverse shell, file transfer capabilities, and the ability to communicate between infected routers. Check Point researchers say that the attackers, which they track as Camaro Dragon, used a number of other implants and payloads, too, but they focused their efforts on the malicious firmware images.
While the kernel and the uBoot bootloader were the same as the ones in the official TP-Link firmware image, the researchers found that the file system in the malicious version was heavily modified. Several files had been added to the file system and others had been modified, including one change that hides the form that enables users to update the firmware on the router. Interestingly, it’s unclear how the Camaro Dragon attackers are gaining access to the target devices.
“We are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication. The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest,” Check Point researchers said in a blog post.
The Horse Shell implant has a range of functions, none of which is out of the ordinary for a piece of custom malware designed by an APT team. The main operations are starting the remote shell, transferring files, and communicating with other peers via SOCKS tunneling.
“Horse Shell is designed to communicate with numerous peers simultaneously. As it lacks multi-threading capabilities, the program employs list containers to segregate the various connected peers as individual list items. Each peer has a distinct structure, with assigned events and callbacks specific to it. This approach guarantees that the communication with each peer remains distinct, utilizing its unique callbacks and event handlers, and does not become intertwined with other peers,” the researchers said.
“The Horse Shell implant is written in C++ and compiled for MIPS32-based operating systems. There aren’t many implants written for network devices and so we went to look for other examples, to see if the implant we’re looking at is a variant of an already known implant. Spoiling the surprise, we were unable to find another implant that we could confidently classify as a version of Horse Shell.”
The Camaro Dragon group’s activity overlaps quite a bit with the operations of a group known as Mustang Panda, which is a Chinese government-affiliated attack team known mainly for its use of a custom version of the PlugX malware. However, the Check Point researchers were not able to conclude that the two groups are identical.