Researchers from Check Point Research(CPR) were able to uncover a series of cyberattacks by the Chinese APT group "Camaro Dragon". A modified, malicious firmware for TP-Link routers was discovered, which includes a customized backdoor called "Horse Shell".
Recently, Check Point Research (CPR) investigated a series of targeted cyberattacks on European foreign affairs agencies and traced them to a Chinese state-sponsored APT group dubbed the "Camaro Dragon" by CPR. These activities share significant infrastructural overlap with activities publicly associated with Mustang Panda.
Prepared firmware update with backdoor
The security researchers discovered a malicious firmware implant created for TP-Link routers containing various malicious components including a customized backdoor called "Horse Shell". The backdoor allowed attackers to take full control of the infected device, remain undetected, and access compromised networks. A thorough analysis of CPR has uncovered these malicious tactics and provides a detailed analysis.
This post dives into the complex details of analyzing the "Horse Shell" router implant, sharing insights into how the implant works, and comparing it to other router implants associated with other Chinese state-sponsored groups. The study of this implant aims to shed light on the techniques and tactics used by the APT group in order to gain a better understanding of how threat actors use malicious firmware implants in network devices for their attacks.
Attack on European foreign affairs institutions
The investigation into the "Camaro Dragon" activities related to a campaign mainly targeting European foreign affairs bodies. Although Horse Shell was found on the attacking infrastructure, it is unclear who the victims of the router implant are.
It is known from the past that router implants are often installed on random devices of no particular interest in order to create a link between the main infections and the actual command and control function. In other words, infecting a home router does not mean that the homeowner has been specifically targeted, but that it is just a means to an end.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
EU directive for safety functions
Manufacturers can better protect their devices from malware and cyberattacks. regulations like that EU Machinery Directive require vendors and manufacturers to ensure that devices pose no risk to users and that they build security features into devices.
Check Point IoT Embedded with Nano Agent® provides on-device runtime protection that enables connected devices with built-in firmware security. The Nano Agent® is a tailor-made package that offers the best security features and prevents malicious activity on routers, network devices and other IoT devices. Check Point IoT Nano Agent® has advanced features such as memory protection, anomaly detection, and control flow integrity.
More at CheckPoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.