Residential TP-Link routers are infected by the “Horse Shell” malware which is developed by the “Camaro Dragon” hacking gang. The “Camaro Dragon” hacking gang is supported by the Chinese government and targets European foreign policy institutions.
The backdoor virus is used in malicious firmware that is specifically designed for TP-Link routers. This helps hackers to launch assaults that seem to come from home networks. The Check Point Research report states, “It is important to note that this kind of attack is not specifically targeted at sensitive networks, but rather at regular residential and home networks.”
Therefore, infecting a household wireless router does not necessarily suggest that the house owner was a specific target. Instead, it may simply suggest that their equipment served as a tool for the attackers to use in order to accomplish their goals.
The threat actors get full access to the device with the help of deployed malware. Moreover, these threat actors can also run shell commands, use it as a SOCKS proxy to enable communication between devices and upload and download data.
The Horse Shell malicious TP-Link firmware implant was uncovered in January 2023 by Check Point Research. Check Point Research tracks this activity with the help of the “Camaro Dragon”.
The attackers’ server IP addresses, numerous typos in the binary code that indicate the author isn’t a native English speaker, request with hard-coded HTTP headers discovered on various Chinese websites, and similarities in the trojan’s functionality to the APT31 “Pakdoor” router implant were used to attribute the attack.
Know more about the TP-Link firmware implant
Although Check Point Research has not identified how the attackers infected TP-Link routers, they did say that it could be by exploiting a vulnerability or brute-forcing the credentials of the administrator. Once a threat actor gets admin control of the management interface, they can update the device with the custom firmware image remotely.
Check Point Research or CPR found two samples of firmware images that contained trojans through investigation. Both firmware images contained extensive additions and modifications. Moreover, CPR compared the malicious firmware images of the Tp-Link router with a legitimate version.
They found that the uBoot sections and Kernel were the same on both. However, the infected firmware employed a customized SquashFS file system that contained additional malicious files that are part of the Horse Shell malware implant.
The infected Tp-Link firmware also modifies the web-based management panel. That way, it prevents the owner of the router from flashing a new firmware image. This helps hackers ensure the persistence of the infection in the malicious firmware image.