Chinese nation-state actor known as mustang panda Believed to be associated with a series of highly targeted attacks targeting European diplomatic institutions since January 2023.
According to Check Point researchers Itay Cohen and Radoslaw Madej, analysis of these intrusions revealed custom firmware implants designed specifically for TP-Link routers.
“This implant includes a custom backdoor named ‘Horse Shell’ that allows attackers to maintain persistent access, build anonymous infrastructure, and move laterally into compromised networks. It contains a malicious component,” the company said.
“The firmware-agnostic design allows the implant’s components to integrate with different firmwares from different vendors.”
An Israeli cybersecurity firm tracks this threat group under the name Camaro Dragon. The group is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta and Red Lich.
The exact method used to deploy the compromised firmware image to the infected router is unknown at this time, as is its use and involvement in the actual attack. It is suspected that initial access may have been obtained by exploiting known security flaws or using brute force devices with default or easily guessed passwords.
Knownly, the C++-based Horse Shell implant allows an attacker to execute arbitrary shell commands, upload and download files to and from the router, and relay communication between two different clients. It means that
However, in an interesting development, router backdoors are believed to target arbitrary devices on residential and home networks, with compromised routers being “a node’s It is suggested that it is incorporated into the mesh network for the purpose of “creating a chain”. command and control. “
When using SOCKS tunnels to relay communication between infected routers, each node in the chain only contains information about the nodes before and after it, introducing an extra layer of anonymity to obscure the final server. It’s an idea.
In other words, these techniques obfuscate the source and destination of traffic in a manner similar to TOR, making the scope of an attack more difficult to detect and stop.
The researchers found that “if one node in the chain is compromised or goes down, an attacker can still maintain communication with the C2 by routing traffic through another node in the chain. ‘ explained.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
However, this is not the first time China-related actors have relied on a network of compromised routers to achieve their strategic goals.
In 2021, the French National Cyber Security Agency (ANSSI) announced that APT31 (aka Judgment Panda or Violet Typhoon) will utilize advanced malware known as Pakdoor (or SoWat) to allow infected routers to communicate with their respective routers. ) elaborated on the intrusion set organized by . other.
“This finding is yet another example of a long-standing trend of Chinese threat actors exploiting Internet-connected network devices to modify their underlying software and firmware,” the researchers said. .
