Researchers on Tuesday unveiled a large-scale discovery of malicious firmware that could hack a wide range of residential and small office routers into a network that silently relays traffic to command and control servers maintained by Chinese state-sponsored hackers.
A firmware implant, revealed in a write-up from Check Point Research, contains a full-featured backdoor that allows attackers to establish communications and file transfers with infected users. tools, remote issue commands, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. The well-written C++ code, however, makes it difficult to implement its functionality in a “firmware-agnostic” way, meaning that it is trivial to modify it for use with other router models.
Not the ends, only the means
The primary purpose of the malware appears to be to relay traffic between an infected target and the attackers’ command and control server in a way that hides the source and destination of the communication. With further analysis, Check Point Research ultimately discovered that the control infrastructure was run by hackers tied to Mustang Panda, an advanced persistent threat actor that Avast and ESET security firms said was working for the government. in China.
“Learning from history, router implants are often installed on arbitrary devices of no particular interest, with the aim of creating a chain of nodes between the main infections and real command and control,” Check Point researchers wrote in a shorter write-up. “In other words, infecting a home router doesn’t mean the home owner is specifically targeted, but it’s just a means to an end.”
Researchers discovered the implant while investigating a series of targeted attacks against foreign affairs entities in Europe. The main component is a backdoor with an internal name Horse Shell. The three main functions of the Horse Shell are:
- A remote shell for executing commands on the infected device
- File transfer for uploading and downloading files to and from the infected device
- The data exchange between the two devices uses SOCKS5, a protocol for proxying TCP connections to an arbitrary IP address and providing a means for UDP packets to be forwarded.
SOCKS5 function as the ultimate purpose of the implant. By creating a chain of infected devices that establish encrypted connections with the closest two nodes (one in each direction), it is difficult for anyone who stumbles upon one of them to know -an origin or final destination or the actual purpose of the infection. As Check Point researchers wrote:
The implant can relay communication between two nodes. By doing so, attackers can create a chain of nodes that relay traffic to the command and control server. By doing this, attackers can hide the final command and control, because each node in the chain only has information on the previous and next nodes, each node is an infected device. Only a few nodes will know the identity of the final command and control.
By using multiple layers of tunnel communication nodes, threat actors can obscure the origin and destination of traffic, making it difficult for defenders to trace traffic back to C2. This makes it difficult for defenders to detect and respond to an attack.
In addition, a chain of infected nodes makes it difficult for the defenders to disrupt the communication between the attacker and the C2. If a node in the chain is compromised or taken out, the attacker can still maintain communication with C2 by routing the traffic through another node in the chain.