The Chinese nation-state actor is known as Mustang Panda has been linked to a series of new, sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023.
Analysis of this interference, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed custom firmware implants designed explicitly for TP-Link routers.
“This implant features several malicious components, including a custom backdoor named ‘Horse Shell’ that allows attackers to maintain persistent access, establish an anonymous infrastructure, and allow lateral movement into compromised networks,” the company said. said.
“Due to its firmware-agnostic design, implant components can be integrated into various firmwares by different vendors.”
The Israeli cybersecurity firm is tracking the threat group under the name Camaro Dragon, which is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta and Red Lich.
The exact method used to spread tampered firmware images on infected routers is currently unknown, as is their use and involvement in the actual attack. It is suspected that early access may have been obtained by exploiting known security flaws or forcing devices with default or easy-to-guess passwords.
What is known is that the C++-based Horse Shell implant gives attackers the ability to execute arbitrary shell commands, upload and download files to and from routers, and relay communications between two different clients.
But in an interesting twist, router backdoors are believed to target arbitrary devices in residential and home networks, suggesting that compromised routers are being co-opted into a mesh network with the goal of creating a “chain of nodes between the main infection and real command-and-control.” “
In relaying communication between infected routers using a SOCKS tunnel, the idea is to introduce an additional layer of anonymity and hide the end server, since each node in the chain contains only information about the node before and after it.
In other words, this method obfuscates the origin and destination of traffic in a similar way to TOR, making it much more challenging to detect the scope of the attack and disrupt it.
“If one node in the chain is compromised or destroyed, an attacker can still maintain communication with C2 by routing traffic through a different node in the chain,” the researchers explain.
Nonetheless, this is not the first time that China-affiliated threat actors have relied on compromised router networks to fulfill their strategic objectives.
In 2021, the National Cybersecurity Agency of France (ANSSI) detailed an intrusion set orchestrated by APT31 (aka Judgment Panda or Violet Typhoon) that leverages sophisticated malware known as Pakdoor (or SoWat) to allow infected routers to communicate with each other. other.
“This discovery is yet another example of a longstanding trend of Chinese threat actors to exploit internet-connected network devices and modify the underlying software or firmware,” the researchers said.