Check Point Research (CPR) reveals a malicious firmware implant for TP-Link routers, containing various harmful components, including a customized backdoor named “Horse Shell”

Recently, Check Point Research (CPR) investigated a sequence of targeted cyberattacks against European foreign affairs entities and attributed them to a Chinese state-sponsored Advanced Persistent Threat (APT) group dubbed “Camaro Dragon” by CPR.

This activity has significant infrastructure overlaps with activities publicly linked to “Mustang Panda”. The investigation discovered a malicious firmware implant created for TP-Link routers containing various harmful components, including a customized backdoor named “Horse Shell”, which enabled attackers to take full control of the infected device, remain undetected, and access compromised networks.

The attack

CSR investigated a campaign targeted mainly at European foreign affairs entities. However, even though the researchers found Horse Shell on the attacking infrastructure, they did not know who the victims of the router implant were. 

Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control. In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal.

How the attackers managed to infect the router devices with their malicious implant was not known. It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication.

CSR’s findings not only contribute to a better understanding of the Camaro Dragon group and their toolset, but also to the broader cybersecurity community, providing crucial knowledge for understanding and defending against similar threats in the future.

Not only TP-Link

The discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk. 

Furthermore, the discovery indicates that a wide range of devices and vendors may be at risk. The researchers share their research in the hope that it will contribute to improving the security posture of organizations and individuals alike, advising users to remember to keep their network devices updated and secured, and to beware of any suspicious activity on their networks.

The discovery of Camaro Dragon’s malicious implant for TP-Link routers highlights the importance of taking protective measures against similar attacks. Recommendations for detection and protection include:

    • Software updates: Regularly updating the firmware and software of routers and other devices is crucial for preventing vulnerabilities that attackers may exploit.
    • Default credentials: Change the default login credentials of any device connected to the internet to stronger passwords and use multi-factor authentication whenever possible. Attackers often scan the internet for devices that still use default or weak credentials.