Attack uses a unique routing implant to target European governments
Check Point Research has released a new report which exposes the activities of a Chinese state-sponsored APT threat actor the research team is tracking under the name Camaro Dragon. The threat actor uses a custom implant to compromise a specific TP-Link router model and steal information from it, as well as provide attackers with backdoor access.
The report provides additional technical details about this cyberattack, who is affected, and how to detect and defend against the security threat.
The “Horse Shell” implant can be found in the firmware of the TP-Link router
During the analysis of the Camaro Dragon, the researchers discovered a large number of files in their attacks, two of which were TP-Link firmware images for the WR940 router model, released around 2014. These implants were found during an attack campaign that mainly targeted attacks. European foreign affairs bodies.
By comparing these files with the legitimate firmware images of the TP-Link WR940 router, Check Point discovered that the file system had changed: four files were added to the firmware and two files were modified to perform a malicious implant (Figure A).
The first discovery shows that the attackers modified the legitimate SoftwareUpgradeRpm.htm file from the firmware, which is accessible through the router’s web interface and allows for manual firmware upgrades (Figure B).
The modified version of the page completely hides the option to update the firmware, so the administrator can no longer update it (Figure C).
The second discovery is to modify the /etc/rc.d/rcS file, which is part of the operating system’s startup scripts. The attackers added the execution of three of the files they added to the firmware’s file system, so it runs every time the operating system reboots, ensuring the implant persists on the compromised router.
One of the files that the script executes at startup is /usr/bin/shell. This file is a password protected bind shell on port 14444, which means you can access this shell with a good password. A quick scan of the file revealed the password (J2)3#[email protected] stored in clear text in the file.
Another file, /usr/bin/timer, provides additional persistence to attackers, as its only job is to ensure that /usr/bin/udhcp is running, and this file is the main implant.
The main malicious implant is /usr/bin/udhcp, which Check Point Research calls the Horse Shell. The name comes from the internal data of the file. It runs in the background as a daemon on the system and provides three functions: remote shell, file transfer, and tunneling.
The last file, /usr/bin/sheel, is for writing and reading the C2 configuration stored on another partition of the device. Data is written and read directly from a blocking device in order to remain unobserved or noticed by the administrator.
After executing the udhcp implant, it collects and sends data to the C2 server: user and system names, operating system version and time, CPU architecture and number of CPUs, total RAM, IP and MAC addresses, services supported by the implant (remote control) . shell, file transfer and tunnel) and the number of active connections.
According to Check Point Research, the fact that the malware sends data about CPU architecture and support features to the threat actor suggests that attackers may have other versions that support different devices and different features.
The malware communicates with its C2 server using the HTTP protocol on port 80 and encrypts the content using a custom encryption scheme. Using this method guarantees data transfer, as devices typically use this method to communicate on networks, and port 80 is typically not blocked by a firewall. The HTTP content also has special hard-coded headers that the researchers found in Chinese website coding forums and repositories, and includes the zh-CN language code specific to China. Also, typos in the code suggest that the developer may not be a native English speaker.
The tunneling feature allows attackers to create a chain of nodes where each node is a compromised device. Each node only had information about the previous and next nodes, making it difficult for attackers to track because they could use several different nodes to communicate with the implant. Also, if a node is suddenly removed, an attacker can still redirect traffic to another node in the chain.
Relationships between Camaro Dragon and Mustang Panda
Check Point Research mentions the use of code found only in Chinese coding forums and the use of the zh-cn language parameter in the HTTP headers used by the implant. The researchers also mention discovering a wide range of tools used by the attacker — some of which are often associated with Chinese state-sponsored threat actors.
The group’s activities show significant overlaps with another Chinese state-sponsored APT threat, Mustang Panda. The strongest overlap observed by Check Point is that the Camaro Dragon uses the same IP address as the Mustang Panda on the C2 servers, but based on other undisclosed elements, the researcher suggests that “there is enough evidence that the Camaro Dragon has significant overlaps with the Mustang. Panda, unfortunately we cannot say that this is a complete overlap or that these two are exactly the same group.”
In the case of Horse Shell, it’s conceivable that other threat actors will use it, especially seeing the connections between the Camaro Dragon and the Mustang Panda. It’s even possible that Mustang Panda will use it for its own operations in the future.
Router implants are a growing threat
Router implants are not very popular among attackers because they require more development skills. In the case of Horse Shell, a good knowledge of MIPS32-based operating systems was required. Owning one or more routers is also required to develop and test the code before deploying it in a real attack.
On the other hand, devices like routers are less monitored and less likely to be compromised. In recent years, router infections have appeared.
In 2018, the Slingshot Aptattackers exploited a vulnerability in Mikrotik routers to install malware on them with the aim of infecting the router’s administrator and continuing their attack.
In 2021, the French government computer emergency group CERT-FR reported the APT31 Chinese threat (aka Judgment Panda or Zirconium) compromised small office/home office routers, mainly from Pakedge, Sophos and Cisco. The agency discovered about 1,000 IP addresses used by the attacker during his attack campaign.
In 2022, the ZuoRAT malware, used by an unknown but suspected state-sponsored threat actor, targeted SOHO routers from ASUS, Cisco, DrayTek, and Netgear.
In 2023, the Hiatus malware struck the United States and Europe, targeting DrayTek routers used mostly by medium-sized organizations, including pharmaceutical and IT service companies, consulting firms, and governments.
Last month, the Russian threat group APT28 (aka Fancy Bear, Strontium, Pawn Storm) exploited a Cisco router vulnerability to attack US government institutions and other organizations in Europe and Ukraine.
Experts at Check Point Research express concern about router compromises, writing that “those capabilities and types of attacks are consistently of interest and focus to China-aligned threat actors.”
Experts in the field expect router compromises to increase in the future.
How to recognize this threat and protect against it
Check Point strongly recommends inspecting HTTP network communications and looking for specific HTTP headers used by the malware. These headers were shared on Chinese-language coding forums, so they may indicate an attack by threat actors other than Camaro Dragon.
The TP-Link file system of the WR940 router devices should be checked for the existence of the reported files and changes to existing files.
Since the initial infection of installing modified firmware on routers is still unknown, it is highly recommended to install patches and keep all software and firmware up-to-date to prevent attackers from compromising this, creating a general security vulnerability.
We recommend that you change the default credentials on such devices so that attackers cannot easily log in with them, as some routers are configured with default credentials that are public and can be used by anyone to log into the router.
Remote management of routers should only be done from the internal network; not be accessible from the Internet.
We recommend that you monitor router activity and check logs for anomalies and suspicious activity or unauthorized access attempts.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.