Cyber Security Threat Summary:
“A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations. The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks” (Bleeping Computer, 2023).

Check Point researchers point out that these attacks seem targeted towards residential and home networks, not specifically at sensitive networks. More than likely, homeowners were not being directly targeted, but more opportunistically, these vulnerable devices could be used as needed by attackers.

The malware deployed by the malware gives threat actors full access to the device, which they can use to run shell commands, upload and download files, and turns the device into a SOCKS proxy to relay communication between devices.

The Horse Shell TP-Link firmware implant was discovered by Check Point Research in January 2023, who says the hackers' activity overlaps with the Chinese "Mustang Panda" hacking group recently detailed in Avast and ESET reports. Check Point tracks this activity separately using the "Camaro Dragon" name for the activity cluster despite the similarities and considerable overlap with Mustang Panda.

The attribution was made based on attackers' server IP addresses, requests featuring hard-coded HTTP headers found on various Chinese websites, many typos in the binary code that show the author isn't a native English speaker, and functional similarities of the trojan with the APT31 "Pakdoor" router implant.

Security Officer Comments:
Check Point has not yet determined how the attackers were able to infect the TP-Link routers with a malicious firmware image, but said they are likely either exploiting a vulnerability or have brute-forced the administrator's credentials. After gaining access to the device’s management interface, the threat actor will update the device with a custom firmware image. Through investigation, Check Point found two samples of trojanized firmware images for TP-Link routers, both containing extensive modifications and file additions.

Check Point was able to compare the malicious firmware with the legitimate version and found that the kernel and uBoot sections were the same. The difference was in that the malicious firmware utilized a custom SpashFS filesystem. This additional file component was part of the Horse Shell backdoor implant. "Parts of it are internally named Horse Shell so we use it to name the implant as a whole. The implant provides the attacker with 3 main functionalities: remote shell, file transfer, and tunneling," explains Check Point.

The firmware will also modify the management web panel, which prevents the device’s owner from flashing a new firmware image to the router, allowing for a persistent infection. The backdoor implant will instruct the OS not to terminate its process when SIGPIP, SIGINT, or SIGABRT commands are issued. The backdoor also connects to the attacker controlled command and control server to send the victim’s machine profile, including username, OS version, time, device information, IP address, MAC address, and supported implant features.

Horse Shell will now quietly run in the background waiting for one of the following three commands:

Start a remote shell providing the threat actors full access to the compromised device. Perform file transfer activities, including uploading and downloading, basic file manipulation, and directory enumeration. Start tunneling to obfuscate the origin and destination of the network traffic and hide the C2 server address.

The researchers say the Horse Shell firmware implant is firmware-agnostic, so it could theoretically work in firmware images for other routers by different vendors. State-sponsored hackers are increasingly targeting routers and other edge networking devices because they are often overlooked when implementing security measures. They can be stealthy initial access points, and can obfuscate the threat actors activity.

Edge network devices have become a popular target for state-sponsored threat actors, with Chinese hackers previously targeting Fortinet VPN and SonicWall SMA routers with custom firmware implants. More recently, the UK NCSC and US CISA cybersecurity agencies warned that Russian state-sponsored threat actors were also breaching Cisco routers to install custom malware.

MITRE ATT&CK:

T1542.001 - Pre-OS Boot: System Firmware
After gaining access to the device’s management interface, the threat actor will update the device with a custom firmware image.

T1495 - Firmware Corruption
The firmware will also modify the management web panel, which prevents the device’s owner from flashing a new firmware image to the router, allowing for a persistent infection.

T1543.004 - Create or Modify System Process: Launch Daemon
When the Horse Shell backdoor implant is initialized, it will instruct the OS not to terminate its process when the SIGPIPE, SIGINT, or SIGABRT commands are issued, and to be converted into a daemon to run in the background.

TA0011 - Command and Control
The backdoor also connects to the attacker controlled command and control server to send the victim’s machine profile,

T1087.001 - Account Discovery: Local Account
T1082 - System Information Discovery
T1124 - System Time Discovery
T1016 - System Network Configuration Discovery
The backdoor also connects to the attacker controlled command and control server to send the victim’s machine profile, including username, OS version, time, device information, IP address, MAC address, and supported implant features.

T1059.003 - Command and Scripting Interpreter: Windows Command Shell Starts a remote shell providing the threat actors full access to the compromised device.

T1572 - Protocol Tunneling
Starts tunneling to obfuscate the origin and destination of the network traffic and hide the C2 server address.

T1041 - Exfiltration Over C2 Channel
Performs file transfer activities, including uploading and downloading, basic file manipulation, and directory enumeration.

Suggested Correction(s):
Users are advised to apply the latest firmware update for their router model to patch any existing vulnerabilities and change the default admin password to something strong. However, even more critical, disable remote access to the device's admin panel and make it only accessible from the local network.

Link(s):
https://www.bleepingcomputer.com/
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/