Check Point Research (CPR) has been monitoring a series of targeted cyberattacks on European foreign affairs entities, which have been linked to the Chinese state-sponsored Advanced Persistent Threat (APT) group named “Camaro Dragon” by CPR.
In a recent blog post, Check Point Research shared their comprehensive analysis of Camaro Dragon’s attacks, revealing a malicious firmware implant tailored for the popular TP-Link routers. Named “Horse Shell”, the custom backdoor provides attackers with full control of the infected devices and allows the threat actor to anonymize their activities and access compromised networks.
- Check Point Research discovered and analyzed a custom TP-Link firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”.
- The firmware image contained several malicious components, including a custom MIPS32 ELF implant dubbed “Horse Shell”. In addition to the implant, a passive backdoor providing attackers with a shell to infected devices was found.
- “Horse Shell”, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:
- Remote shell
- File transfer
- SOCKS tunneling
- The deployment method of the firmware images is still unclear, as well as its usage and involvement in actual intrusions.
Not only TP-Link
The discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk. Check Point Research has emphasized the importance of updating and securing network devices against potential threats.
Through their ongoing investigation, Check Point Research aims to provide a better understanding of the techniques and tactics utilized by the Camaro Dragon APT group and contribute to improving the security posture of organizations and individuals alike.
To protect against similar attacks, Check Point Research recommends network protections, such as monitoring traffic with unique and hard-coded headers, regularly updating device firmware and software, and changing default login credentials on internet-connected devices.
Itay Cohen, Research Lead in Check Point Research, “The ‘Horse Shell’ router implant is an intricate piece of malicious firmware that showcases the advanced capabilities of the Chinese state-sponsored attackers. Through analyzing this implant, we can gain valuable insights into the tactics and techniques used by these attackers, which can ultimately contribute to better understanding and defending against similar threats in the future.
The firmware-agnostic nature of the implanted components suggests that a wide range of devices and vendors could potentially be at risk. It is crucial for organizations and individuals to maintain vigilance by updating their network devices regularly and implementing strong security measures to combat such advanced threats.”