The Dragon Who Sold His Camaro: Analyzing Custom Router Implant

Topic

New Reply

https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/

Over the past few months, Check Point Research has closely monitored a series of targeted attacks aimed at European foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we track as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.

Our comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks…

Due to its firmware-agnostic design, the implant’s components can be integrated into various firmware by different vendors..

Reply | Quote

Replies

The deployment method of the firmware images on the infected routers is still unclear

If you have turned off remote management then it’s very unlikely you will be attacked, unless the bad guys have physical access.

for the TP-Link router model WR940N

A cheap consumer level device.
What governments are using such poorly secured devices for their foreign outposts? Only those who want to be hacked!

cheers, Paul

Reply | Quote