Chinese state hackers are infecting TP-Link routers with custom, malicious firmware

What just happened? A Chinese-sponsored group is leading a new, sophisticated cyber-attack against sensible European targets, and hackers are effectively covering their tracks by abusing infected routers belonging to oblivious home users. The routers are mostly manufactured by TP-Link, but the threat could spread elsewhere.

Check Point researchers have uncovered yet another advanced persistent threat (APT), which is operated by a Chinese-sponsored group identified as "Camaro Dragon." The attack, which mostly overlaps with malicious activities previously attributed to the "Mustang Panda" crew, is designed to cover its tracks behind TP-Link routers infected by a complex malware component.

The Camaro Dragon group targeted organizations and individuals related to European foreign affairs, Check Point explains, with "significant infrastructure overlap" with the Mustang Panda group. During their investigation, the researchers discovered a malicious firmware implant designed to work on routers manufactured by TP-Link, with several components including a custom backdoor named "Horse Shell."

The backdoor has several main functions, including a remote shell for executing commands on the infected device, file transfer for uploading and downloading, and data exchange between two infected devices through the SOCKS5 protocol. SOCKS5 can be used as a proxy TCP connection to an arbitrary IP address, for UDP packet forwarding, and ultimately to create a chain of infected devices to mask the origin and the destination of an encrypted connection.

Thanks to this malicious firmware, Camaro Dragon hackers can effectively mask their real command & control center by treating infected home devices as a means to a goal. Check Point says that while Horse Shell was found on the attacking infrastructure, the true victims of the router implant are still unknown.

The researchers don't even know how the attackers managed to infect the routers with the malicious firmware, though they likely scanned the entire internet for known vulnerabilities or weak / default login credentials. Furthermore, despite being designed to attack TP-Link routers, the components have an "agnostic" nature and could very well be repurposed for attacking a wider range of devices and manufacturers.

Check Point Research says the discovery of Camaro Dragon's implant for TP-Link routers highlights the importance of taking protective measures against similar attacks. The security company has some recommendations for detecting and protecting against malicious firmware installations, including regularly installing software updates for home/SOHO routers, changing the default credentials of any device connected to the internet, and using stronger passwords and multi-factor authentication whenever possible.