Check Point Research released a new report that exposes the activities of a Chinese state-sponsored APT threat actor the research team tracks as Camaro Dragon. The threat actor uses a custom implant to compromise a specific TP-Link router model and steal information from it, as well as provide backdoor access to the attackers.
The report provides additional technical details about this cyberattack, who is impacted and how to detect and protect against this security threat.
“Horse Shell” implant found in TP-Link router firmware
During their analysis of Camaro Dragon, the researchers discovered a large number of files used in their attacks, with two of them being TP-Link firmware images for the WR940 router model released around 2014. Those implants were found in an attack campaign targeted mainly at European Foreign Affairs entities.
By comparing those files to legitimate firmware images for the TP-Link WR940 router, Check Point discovered that the file system has been altered, with four files added to the firmware and two files modified in order to execute a malicious implant (Figure A).
The first discovery reveals the attackers modified the SoftwareUpgradeRpm.htm legitimate file from the firmware, which is accessible via the router’s web interface and allows manual firmware upgrades (Figure B).
The modified version of the page completely hides the firmware upgrade option so the administrator cannot upgrade it anymore (Figure C).
The second discovery is the modification of the file /etc/rc.d/rcS that is part of the operating system’s startup scripts. The attackers added the execution of three of the files they added on the firmware’s file system so it would be executed each time the operating system restarts, ensuring the persistence of the implant on the compromised router.
One file to be executed at boot time by the script is /usr/bin/shell. This file is a password-protected bind shell on port 14444, which means it is possible to get access to this shell by providing it with a good password. A quick examination of the file revealed the password (J2)3#4G@Iie), stored in clear text in the file.
Another file, /usr/bin/timer, provides an additional layer of persistence for the attackers as its sole role is to ensure that /usr/bin/udhcp is running, with this file being the main implant.
The main malicious implant is /usr/bin/udhcp, dubbed Horse Shell by Check Point Research. The name comes from the file’s internal data. It runs in the background as a daemon on the system and provides three functionalities: remote shell, file transfer and tunneling.
One last file, /usr/bin/sheel, is in charge of writing and reading a C2 configuration it stores in another partition of the device. The data is written and read directly from a block device in an obvious effort to stay undetected or spotted by an administrator.
Once the udhcp implant is executed, it collects and sends data to its C2 server: user and system names, operating system version and time, CPU architecture and number of CPUs, total RAM, IP and MAC addresses, features supported by the implant (remote shell, file transfer and tunneling) and the number of active connections.
According to Check Point Research, the fact that the malware sends data related to the CPU architecture and support functionalities to the threat actor suggests the attackers might have other versions supporting different devices and different sets of functionalities.
The malware communicates with its C2 server by using the HTTP protocol on port 80, encrypting the content with a custom encryption scheme. The use of this method guarantees the data can be transmitted as devices usually use such a method to communicate on networks and the port 80 is typically not blocked by firewalls. The HTTP content also has specific hard-coded headers that the researchers found on coding forums and repositories from Chinese websites and includes the language code zh-CN specific to China. In addition, typos in the code indicate the developer might not be a native English speaker.
The tunneling functionality allows the attackers to create a chain of nodes, with each node being a compromised device. Every node only had information about the previous and next nodes, so it makes it harder to track the attackers as they might use several different nodes for communicating with the implant. Also, in case one node is suddenly removed, the attacker can still route traffic through a different node in the chain.
Ties between Camaro Dragon and Mustang Panda
Check Point Research mentions the use of code found in Chinese coding forums only and the use of a zh-cn language parameter in HTTP headers used by the implant. The researchers also mention the discovery of a wide variety of tools used by the attacker — some of them being commonly associated with Chinese state-sponsored threat actors.
The group activity has significant overlaps with another Chinese state-sponsored APT threat actor dubbed Mustang Panda. The strongest overlap as observed by Check Point consists of Camaro Dragon using the same IP address as Mustang Panda for C2 servers, but other non-disclosed elements make the researcher indicate that “there is enough evidence to suggest that Camaro Dragon has significant overlaps with Mustang Panda, alas we can’t say that this is a full overlap or that these two are the exact same group.”
In the case of Horse Shell, it is possible that other threat actors will use it, especially seeing the ties between Camaro Dragon and Mustang Panda. It is even possible that Mustang Panda might use it in the future for their own operations.
Router implants are a growing threat
Router implants are not very popular for attackers because they require more developing skills. In the Horse Shell case, it needed good knowledge of MIPS32-based operating systems. It is also needed to own one or several of the routers in order to develop and test the code prior to deploying it in a real attack.
On the other hand, devices such as routers are less monitored and less expected to be compromised. In recent years, router infections have appeared.
In 2018, with the Slingshot APT, attackers exploited a vulnerability in Mikrotik routers to plant malware on it with the goal of infecting the router administrator and moving forward with their attack.
In 2021, the French governmental computer emergency response team CERT-FR reported about Chinese threat actor APT31 (aka Judgment Panda or Zirconium) using compromised small office/home office routers, mainly from Pakedge, Sophos and Cisco. The agency discovered about 1,000 IP addresses used by the attacker during its attack campaign.
In 2022, the ZuoRAT malware used by an unknown yet possibly state-sponsored threat actor targeted SOHO routers from ASUS, Cisco, DrayTek and Netgear.
In 2023, the Hiatus malware struck the U.S. and Europe, targeting routers from DrayTek mostly used by medium-sized organizations, including companies in pharmaceuticals and IT services, consulting firms and governments.
Last month, Russian threat actor APT28 (aka Fancy Bear, Strontium, Pawn Storm) exploited a Cisco router vulnerability to target U.S. government institutions and other organizations in Europe and Ukraine.
Experts from Check Point Research express their concern about router compromises and write that “such capabilities and types of attacks are of consistent interest and focus of Chinese-affiliated threat actors.”
Experts in the field expect router compromises to increase in the future.
How to detect this threat and protect from it
Check Point strongly advises to check HTTP network communications and hunt for the specific HTTP headers used by the malware. Those headers have been shared in Chinese-speaking coding forums, so it might also indicate an attack from threat actors other than Camaro Dragon.
The TP-Link file system on WR940 router devices should be checked for the presence of the reported files and modifications of the existing files.
As the initial infection to install the modified firmware on routers remains unknown, it is strongly advised to always deploy patches and keep all software and firmware up to date to avoid being compromised by attackers triggering a common vulnerability.
It is advised to change the default credentials on such devices so attackers cannot just log in with it, as some routers are configured with default credentials, which are publicly known and could be used by anyone to log in to the router.
Remote management of routers should only be done from the internal network; it should not be accessible from the internet.
It is advised to monitor router activity and check logs for anomalies and suspicious activity or unauthorized access attempts.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.