Chinese State-Sponsored Malware Infects Home Routers

Chinese State-Sponsored Malware Infects Home Routers

On May 16th 2023, Checkpoint Research revealed that they had been tracking a series of attacks made against European foreign affairs entities via malware targeting TP-Link routers. Using a malicious firmware implant, attackers were able to establish a connection between the host and the command and control (C2) server. From here they were able to remotely execute commands, initiate file transfers, and obfuscate their identity using tunneling. This implant know as “Horse Shell” was used on residential and small office routers to create a network of infected devices in order to conduct larger attacks using the compromised hosts.

Who’s Responsible?

Checkpoint Research linked the attacks to a Chinese state-sponsored hacking group known as “Camaro Dragon”. The Camaro Dragon APT (Advanced Persistent Threat) group has been linked to a larger group known as “Mustang Panda”. Mustang Panda has been known to work and administrate attacks on behalf of the Chinese government. Having control over these devices means that these groups can remotely implement more advanced attacks while also gather information and route traffic between the attackers servers and the infected host.

Who’s The Target?

Researchers from Checkpoint found that hosts were seemingly infected at random. Because the firmware exploit targets home routers, these malicious implants seem to be installed arbitrarily. Checkpoint researchers claimed that “In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal”.

How Does the Attack Work?

The malicious firmware implant created by Mustang Panda allows attackers to establish a connection with the router to transfer data, execute commands, and hide its origins. What makes this particular exploit dangerous is that is is “firmware-agnostic” meaning that it can applied to any router regardless of the make or model.

The backdoor that attackers use in the attack has been named “Horse Shell” and serves several main functions:

  • Act as a remote shell to execute commands on the infected hosts
  • Transfer files to and from the infected host (both uploading and downloading)
  • Using a SOCKS5 proxy to hide the servers IP address and forward packets

Horse shell allows attackers to execute shell commands on the infected router and command the OS to ignore any abort, terminate, or end commands. Horse Shell is then set to run in the background and transfer device data including IP address, MAC address, OS version, and other important device information to the C2 server. The implant also uses SOCKS5 a protocol that is used to establish a TCP proxy and obscure the users IP address. This protocol is commonly used in VPNS to encrypt data, bypass IP address blacklists, and view region locked content. For the purposes of this attack, Mustang Panda is using the protocol to make sure that they can forward packets and data without being tracked.

TP-Link routers, like most home routers, have a portal that users can access via the internet in order to change settings, or details regarding their devices. The Horse Shell implant prevents users from getting rid of the malicious firmware by altering the HTML code of the portal so that users can no longer see the option to update or replace their firmware. While there are still other ways to update or change your routers firmware, they are often too technical for the a home user without programming knowledge.

Checkpoint research does not know how attackers are initially able to gain access to the routers, but theorize that either passive scanning for known vulnerabilities or targeting devices with weak passwords are the most likely scenario. This underscores to need to keep your devices up to date, and to choose complex passwords to secure your devices. While homeowners rarely think about updating their routers, these patches often contain important security fixes that can prevent attacks like this. Additionally, changing the default password to your routers configuration portal should be your first step when setting it up.

What Can You Do?

To avoid becoming a victim of these types of attacks, there are a few practical steps you can take. It is believed that attackers were able to gain access to these routers via weak security configurations and passwords. You should always make sure that your networking devices, computers, and smart devices are consistently updated and patched. Oftentimes these updates come with important security features that are intended to patch these types of vulnerabilities. You should also make sure to change the default username and password of your routers when you set it up. These routers often come with basic login credentials that can be easily brute forced. When choosing a password make sure it is complex, unique, and contains letters, numbers, and special characters.

As always if you feel you are under attack, contact CorpInfoTech to secure your business and it’s data!

CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

This website is for informational and educational purposes only and does not render professional advice nor is it a substitute for dedicated professional guidance from a competent and duly accredited cybersecurity professional specific to your needs and implementation. There is no endorsement of any kind for products or services listed on this website; it is entirely the readers responsibility to conduct appropriate due diligence and due care in selecting and engaging with any product or service.

Comments are closed

Learn More

Learn More