• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

Hackers infect TP-Link router firmware to attack EU entities


Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.


Ultimate Donator
Jun 26, 2021
  • May 16, 2023
  • 12:25 PM
  • 0

Hacker looking at infected devices

A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations.
The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.
"It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks," explains the Check Point report.
"Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers."
The deployed malware allows the threat actors full access to the device, including running shell commands, uploading and downloading files, and using it as a SOCKS proxy to relay communication between devices.
The Horse Shell TP-Link firmware implant was discovered by Check Point Research in January 2023, who says the hackers' activity overlaps with the Chinese "Mustang Panda" hacking group recently detailed in Avast and ESET reports.
Check Point tracks this activity separately using the "Camaro Dragon" name for the activity cluster despite the similarities and considerable overlap with Mustang Panda.
The attribution was made based on attackers' server IP addresses, requests featuring hard-coded HTTP headers found on various Chinese websites, many typos in the binary code that show the author isn't a native English speaker, and functional similarities of the trojan with the APT31 "Pakdoor" router implant.

TP-Link firmware implant​

While Check Point has not determined how the attackers infect TP-Link routers with the malicious firmware image, they said it could be by exploiting a vulnerability or brute-forcing the administrator's credentials.
Once a threat actor gains admin access to the management interface, they can remotely update the device with the custom firmware image.
Through investigation, Check Point found two samples of trojanized firmware images for TP-Link routers, both containing extensive modifications and file additions.
Check Point compared the malicious TP-Link firmware with a legitimate version and found that the kernel and uBoot sections were the same. However, the malicious firmware utilized a custom SquashFS filesystem that contained additional malicious file components that are part of the Horse Shell backdoor malware implant.
"Parts of it are internally named Horse Shell so we use it to name the implant as a whole. The implant provides the attacker with 3 main functionalities: remote shell, file transfer, and tunneling," explains Check Point.
The firmware also modifies the management web panel, preventing the device's owner from flashing a new firmware image for the router and ensuring the persistence of the infection.
Standard firmware (left) and trojanized (right) preventing firmware updates
Standard firmware (left), and trojanized (right) preventing firmware updates (Check Point)

The Horse Shell backdoor​

When the Horse Shell backdoor implant is initialized, it will instruct the OS not to terminate its process when the SIGPIPE, SIGINT, or SIGABRT commands are issued, and to be converted into a daemon to run in the background.
The backdoor will then connect to the command and control (C2) server to send the victim's machine profile, including the user name, OS version, time, device information, IP address, MAC address, and supported implant features.
Horse Shell will now quietly run in the background waiting for one of the following three commands:
  1. Start a remote shell providing the threat actors full access to the compromised device.
  2. Perform file transfer activities, including uploading and downloading, basic file manipulation, and directory enumeration.
  3. Start tunneling to obfuscate the origin and destination of the network traffic and hide the C2 server address.
Supporting tunneling sub-commands
Supporting tunneling sub-commands (Check Point)
The researchers say the Horse Shell firmware implant is firmware-agnostic, so it could theoretically work in firmware images for other routers by different vendors.
It's not surprising to see state-sponsored hackers targeting poorly secured routers, often targeted by botnets for DDoS attacks or crypto-mining operations. This is because routers are often overlooked when implementing security measures and can act as a stealthy launchpad for attacks, obfuscating the attacker's origin.
Users are advised to apply the latest firmware update for their router model to patch any existing vulnerabilities and change the default admin password to something strong. However, even more critical, disable remote access to the device's admin panel and make it only accessible from the local network.

A recurring theme​

Edge network devices have become a popular target for state-sponsored threat actors, with Chinese hackers previously targeting Fortinet VPN and SonicWall SMA routers with custom firmware implants.
More recently, the UK NCSC and US CISA cybersecurity agencies warned that Russian state-sponsored threat actors were also breaching Cisco routers to install custom malware.
As these devices do not commonly support EDR (Endpoint Detection and Response) security solutions, threat actors can use them to steal data, spread laterally, and conduct further attacks with less opportunity for detection.
"There's a recurring theme of continued China-nexus cyber espionage focus on network appliances, IOT devices, etc. that don't support EDR solutions," Mandiant CTO Charles Carmakal told BleepingComputer.
For this reason, it is vital for network admins to install all available security patches on edge devices as soon as they become available and not publicly expose management consoles.
Oh we are going to be busy at work! Fortunately none of the hardware we deploy is listed (yet). There is the customer supplied stuff that isn't our direct responsibility but it does touch our network. Man this is some devious stuff. The home networking gear I can understand but to penetrate enterprise grade networking gear. The scary part is according to the article, they are unsure how the compromised firmware makes it's way into the hardware. We keep sniffers on all our network activity so hopefully that kind of traffic would be reported. You have to wonder since this has gone on for so long how it's been unnoticed. Looks like Chinese networking gear is not going to be very popular if it's an inside job which it almost would have to be.
IT used to have some integrity, now it looks like they have to police it top to bottom. Computers are a very powerful weapon.