Camaro Dragon Hacker Group Attack TP-Link Routers to Deploy Remote Shells

Recently, the cybersecurity experts at Checkpoint identified that the Chinese state-sponsored group “Camaro Dragon” employs a custom “Horse Shell” malware embedded in TP-Link routers’ firmware to target European foreign affairs organizations, leveraging residential networks for their attacks.

The attack targets regular residential and home networks, indicating that infecting a home router does not imply the homeowner was a specific target, but rather a pipe for the attackers’ objectives.

The malware grants threat actors complete device control, enabling them to execute commands, transfer files, and utilize it as a SOCKS proxy for communication relay.

Infection chain

Check Point Research discovered the Horse Shell TP-Link firmware implant in January 2023, revealing its connection to the Chinese “Mustang Panda” hacking group.

Despite significant overlaps, Check Point Research identifies the activity cluster separately as “Camaro Dragon,” even though it shares traits with the “Mustang Panda” hacking group.

The attribution of the “Camaro Dragon” hacking group was determined by analyzing server IP addresses, hard-coded HTTP headers, typos in the binary code, and similarities between the trojan and the APT31 “Pakdoor” router implant.

The method used by the attackers to infect the router devices with their malicious implant remains unclear, but it is speculated that they exploited known vulnerabilities or targeted devices with default or weak passwords.

The attackers aim to establish a chain of nodes between main infections and real C&C, which could entail the installation of the implant on devices without any specific target.

Malicious Implant

Check Point discovered two trojanized firmware images for TP-Link routers during their investigation, revealing that once an attacker obtains admin access to the management interface, they get the ability to update the device easily with a custom malicious firmware image remotely with several illicit modifications.

The malicious TP-Link firmware was found to have a custom SquashFS filesystem containing additional malicious files, while its kernel and uBoot sections were identical to the legitimate version.

The entire implant is named after its internal component called Horse Shell and offers the attacker three main functionalities. Here below we have mentioned those three functionalities:-

• Remote shell
• File transfer
• Tunneling

The modified firmware restricts the device owner from updating the router’s firmware through the management web panel, thereby ensuring the infection remains persistent.

Upon initialization, the Horse Shell backdoor implant directs the operating system to run as a daemon in the background and ignore termination commands such as:-

• SIGPIPE
• SIGINT
• SIGABRT

Upon connecting to the C2 server, the backdoor will then send the victim’s specific machine profile to the C2 server including the following details:-

• User name
• OS version
• Time
• Device information
• IP address
• MAC address
• Supported implant features

Although there are notable malware such as Mirai and Linux-based botnets, router implants are not widely prevalent or highly active in the cybersecurity landscape.

The backdoor implant effectively incorporates various open-source libraries, including Telnet for the remote shell, libev for event handling, and TOR’s smart list for list containers, with HTTP headers sourced from open-source repositories.

Recommendation

Moreover, to enhance security, it is recommended that users follow these key things:-

• Update their router’s firmware.
• Strengthen the admin password.
• Make sure to disable remote access to the admin panel.
• Make sure to allow access only within the local network.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus