![]() ![]() The HTTP content also has specific hard-coded headers that the researchers found on coding forums and repositories from Chinese websites and includes the language code zh-CN specific to China. The use of this method guarantees the data can be transmitted as devices usually use such a method to communicate on networks and the port 80 is typically not blocked by firewalls. The malware communicates with its C2 server by using the HTTP protocol on port 80, encrypting the content with a custom encryption scheme. Once the udhcp implant is executed, it collects and sends data to its C2 server: user and system names, operating system version and time, CPU architecture and number of CPUs, total RAM, IP and MAC addresses, features supported by the implant (remote shell, file transfer and tunneling) and the number of active connections.Īccording to Check Point Research, the fact that the malware sends data related to the CPU architecture and support functionalities to the threat actor suggests the attackers might have other versions supporting different devices and different sets of functionalities. The top 6 enterprise VPN solutions to use in 2023ĮY survey: Tech leaders to invest in AI, 5G, cybersecurity, big data, metaverseĮlectronic data retention policy (TechRepublic Premium) Google offers certificate in cybersecurity, no dorm room required ![]() The data is written and read directly from a block device in an obvious effort to stay undetected or spotted by an administrator. One last file, /usr/bin/sheel, is in charge of writing and reading a C2 configuration it stores in another partition of the device. It runs in the background as a daemon on the system and provides three functionalities: remote shell, file transfer and tunneling. The name comes from the file’s internal data. The main malicious implant is /usr/bin/udhcp, dubbed Horse Shell by Check Point Research. A quick examination of the file revealed the password stored in clear text in the file.Īnother file, /usr/bin/timer, provides an additional layer of persistence for the attackers as its sole role is to ensure that /usr/bin/udhcp is running, with this file being the main implant. This file is a password-protected bind shell on port 14444, which means it is possible to get access to this shell by providing it with a good password. One file to be executed at boot time by the script is /usr/bin/shell. The attackers added the execution of three of the files they added on the firmware’s file system so it would be executed each time the operating system restarts, ensuring the persistence of the implant on the compromised router. The second discovery is the modification of the file /etc/rc.d/rcS that is part of the operating system’s startup scripts. The modified version of the page completely hides the firmware upgrade option so the administrator cannot upgrade it anymore ( Figure C).įigure C Modified SoftwareUpgradeRpm.htm web page. The first discovery reveals the attackers modified the SoftwareUpgradeRpm.htm legitimate file from the firmware, which is accessible via the router’s web interface and allows manual firmware upgrades ( Figure B).įigure B Legitimate SoftwareUpgradeRpm.htm web page. ![]() Those implants were found in an attack campaign targeted mainly at European Foreign Affairs entities.īy comparing those files to legitimate firmware images for the TP-Link WR940 router, Check Point discovered that the file system has been altered, with four files added to the firmware and two files modified in order to execute a malicious implant ( Figure A).įigure A Files used by the malicious implant. “Horse Shell” implant found in TP-Link router firmwareĭuring their analysis of Camaro Dragon, the researchers discovered a large number of files used in their attacks, with two of them being TP-Link firmware images for the WR940 router model released around 2014. ![]() How to detect this threat and protect from it.Ties between Camaro Dragon and Mustang Panda.“Horse Shell” implant found in TP-Link router firmware.The report provides additional technical details about this cyberattack, who is impacted and how to detect and protect against this security threat. The threat actor uses a custom implant to compromise a specific TP-Link router model and steal information from it, as well as provide backdoor access to the attackers. Learn technical details about this cyberattack, as well as Check Point Research's tips on how to detect and protect against this security threat.Ĭheck Point Research released a new report that exposes the activities of a Chinese state-sponsored APT threat actor the research team tracks as Camaro Dragon. Chinese state-sponsored attack uses custom router implant to target European governments ![]()
0 Comments
Leave a Reply. |