17 May 2023

Chinese hackers infect TP-Link routers with custom malware implant


Chinese hackers infect TP-Link routers with custom malware implant

A new China-linked state-sponsored threat actor is said to have been responsible for a series of targeted attacks against TP-Link routers belonging to European foreign affairs entities.

Dubbed “Camaro Dragon” by Check Point Research, the group shares similarities with previous campaigns attributed to state-sponsored Chinese threat actors, namely Mustang Panda.

The campaign was discovered while analyzing attacks on officials in multiple European countries that Check Point has been tracking since January 2023. During analysis of files and infrastructure associated with the campaign, the researchers found a trove of files and payloads, including two TP-Link router firmware images modified to add several malicious components to the original firmware, including a custom MIPS32 ELF implant dubbed “Horse Shell” used for persistence and lateral movement.

Horse Shell comes with a variety of functions, including the ability to run shell commands on the infected router, upload and download files to and from the device, and relay communication between different clients (SOCKS tunneling).

Check Point says that “the deployment method of the firmware images on the infected routers is still unclear, as well as its usage and involvement in actual intrusions,” noting that “due to its firmware-agnostic design, the implant’s components can be integrated into various firmware by different vendors.”

The theory is that the attackers likely gain access to the devices by exploiting known vulnerabilities or target routers with default or weak and easily guessable passwords.

“The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest,” Check Point says. “It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks. Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers.”


Back to the list

Latest Posts

Cyber Security Week in Review: April 12, 2024

Cyber Security Week in Review: April 12, 2024

In brief: Microsoft and Palo Alto fix zero-days, Sisense suffers data breach, and more.
12 April 2024
TA547 threat actor targets German orgs with Rhadamanthys info-stealer

TA547 threat actor targets German orgs with Rhadamanthys info-stealer

The group appears to have incorporated LLM-generated PowerShell scripts in their attacks.
11 April 2024
Apple enhances spyware threat notifications

Apple enhances spyware threat notifications

The company will alert users who are individually targeted by mercenary spyware attacks.
11 April 2024