Check Point Research (CPR) has been tracking a series of targeted cyber-attacks on European foreign affairs entities that have been linked to the Chinese state-sponsored Advanced Persistent Threat Group (APT), which CPR has dubbed “Camaro Dragon".
In a recent blog post, Check Point Research shared their comprehensive analysis of the Camaro Dragon attacks, revealing a malicious firmware patch tailored for popular TP-Link routers. The custom backdoor named “Horse Shell” gives attackers full control over infected devices and allows the threat actor to anonymize their activities and gain access to compromised networks.
Highlights:
- Check Point Research discovered and analyzed a custom TP-Link firmware image linked to Chinese state-sponsored actors named “Camaro Dragon”.
- The firmware image contained various malicious components, including a custom MIPS32 ELF implant named “Horse Shell”. In addition to the implant, a passive backdoor was also found that provides attackers with a shell on infected Appliances.
- “Horse Shell”, the main implant inserted into modified firmware by attackers, provides the attacker with 3 main functions:
- File Transfer
- SOCKS tunneling
- Remote shell
- The method of developing the firmware images is still unclear, as well as its use and involvement in actual hacks.
Not just TP-Link
Η discovery of the nature of embedded components regardless of firmware indicates that a wide range of devices and vendors may be at risk. Check Point Research has emphasized the importance of keeping network devices informed and secure from potential threats.
Protection
Through ongoing research, Check Point Research aims to better understand the techniques and tactics used by the Camaro Dragon APT team and help improve the security posture of both organizations and individuals.
To protect against similar attacks, Check Point Research recommends network protections such as monitoring traffic with unique hard-coded headers code, regularly updating device firmware and software, and changing default login credentials on internet-connected devices.
Comment: Itay Cohen, head research in Check Point Research:
“The “Horse Shell” router implant is a sophisticated piece of malware that showcases the advanced capabilities of state-sponsored Chinese attackers. Through the analysis of this implant, we can gain valuable insights into the tactics and techniques used by these attackers, which can ultimately contribute to a better understanding and defense against similar threats in the future.
The nature of embedded components regardless of firmware means that a wide range of devices and vendors could potentially be at risk. It is vital for organizations and individuals to remain vigilant by regularly updating their network devices and implementing strong security measures to combat such advanced threats.”
