A new China-linked state-sponsored threat actor is said to have been responsible for a series of targeted attacks against TP-Link routers belonging to European foreign affairs entities.
Dubbed “Camaro Dragon” by Check Point Research, the group shares similarities with previous campaigns attributed to state-sponsored Chinese threat actors, namely Mustang Panda.
The campaign was discovered while analyzing attacks on officials in multiple European countries that Check Point has been tracking since January 2023. During analysis of files and infrastructure associated with the campaign, the researchers found a trove of files and payloads, including two TP-Link router firmware images modified to add several malicious components to the original firmware, including a custom MIPS32 ELF implant dubbed “Horse Shell” used for persistence and lateral movement.
Horse Shell comes with a variety of functions, including the ability to run shell commands on the infected router, upload and download files to and from the device, and relay communication between different clients (SOCKS tunneling).
Check Point says that “the deployment method of the firmware images on the infected routers is still unclear, as well as its usage and involvement in actual intrusions,” noting that “due to its firmware-agnostic design, the implant’s components can be integrated into various firmware by different vendors.”
The theory is that the attackers likely gain access to the devices by exploiting known vulnerabilities or target routers with default or weak and easily guessable passwords.
“The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest,” Check Point says. “It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks. Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers.”