On Tuesday, researchers announced a major discovery – malware that can turn a wide range of residential and small office routers into a network that secretly transmits data to command and control servers controlled by Chinese state-backed hackers.
A firmware implant has been detected to write From Check Point Research, it contains a full-featured backdoor that allows attackers to establish connections and file transfers with infected devices, issue remote commands, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. The well-written C++ code took pains to implement its functionality in a “firmware-agnostic” manner, meaning that it would be pointless to modify it to work on other router models.
Not ends, just means
The main purpose of the malware appears to be to route traffic between the infected target and the attackers’ command and control servers in a way that obscures the origin and destination of the communication. Upon further analysis, Check Point Research ultimately determined that the control infrastructure was being controlled by hackers associated with Mustang Panda, a progressive persistent threat actor. Avast and ESET security firms say they work on behalf of the Chinese government.
“Learning from history, router implants are often installed on arbitrary devices of no particular interest, with the goal of creating a chain of nodes between underlying infections and real command and control,” Check Point researchers wrote. shorter writing. “In other words, infecting a home router does not mean that the host is specifically targeted, rather they are just a means to an end.”
Researchers discovered the implant while investigating a series of targeted attacks against European foreign affairs agencies. The main component is the rear door, internally named Horse Shell. The three main functions of the Horse Shell are:
- A remote shell to execute commands on an infected device
- File transfer for uploading and downloading files to and from the infected device
- Exchange data between two devices using SOCKS5A protocol for proxying TCP connections to an arbitrary IP address and providing a means for forwarding UDP packets.
SOCKS5 functionality appears to be the main purpose of the implant. By creating a chain of infected devices that make encrypted connections to only the two closest nodes (one in each direction), it is difficult for anyone who stumbles upon one to learn the origin or final destination or true purpose of the infection. As Check Point researchers wrote:
The implant can transmit communication between the two nodes. By doing so, attackers can create a chain of nodes that will forward traffic to the command and control server. With this, attackers can hide the final command and control because each node in the chain only has information about the previous and subsequent nodes, each node being an infected device. Only a few nodes will know the identity of the last command and control.
By using multiple nodes to tunnel communications, threat actors can obscure the origin and destination of traffic, making it difficult for defenders to trace traffic to C2. This makes it difficult for defenders to detect and respond to an attack.
In addition, the chain of infected nodes makes it difficult for defenders to break the connection between the attacker and C2. If a node in the chain is compromised or taken down, an attacker can still communicate with C2 by routing traffic through another node in the chain.
Remember VPNFilter, ZuroRat and Hiatus?
Using routers and other so-called “Internet of Things” devices to hide surveillance servers and hidden proxy traffic is one of the oldest tricks in the threat actor trade. Among the most famous examples of other hacking campaigns that took this page from the playbook is one discovered in 2018 that used VPNFilter. The malware was created by Kremlin-backed APT28 (also known as Fancy Bear) and was found to have infected more than 500,000 network devices made by Linksys, Mikrotik, Netgear, TP-Link and QNAP. VPNFilter provided various functions, the main function of which was enabled by the “socks5proxy” module, which turned the compromised device into a SOCKS5 virtual private network proxy server. Similar examples include ZuoRAT, a malware that infected a large number of routers made by Cisco, Netgear, Asus and DrayTek last year. Earlier this year, researchers discovered Hiatus, a sophisticated hacking campaign that diverted high-bandwidth routers from manufacturer DrayTek SOCKS proxies.
Check Point researchers still do not know how the malicious implant was installed on the devices. It is believed that threat actors are either exploiting vulnerabilities in devices or searching the Internet for devices protected by weak or default administrative passwords.
While the only firmware image discovered so far only works on TP-Link devices, there’s nothing stopping threat actors from creating images that work on a wider range of hardware. This cross-platform capability results from implant architects integrating many open source libraries into their code. Libraries include Telnet for the remote shell, libev for event handling, libbase32 for encoding and decoding base32 binary data, and a list of based containers. TOR smart list.
Inspiration may have come from other projects, including the Shadowsocks-libev server and udpt’s UDP tunnel. The HTTP headers used are taken from open source repositories.
“Implanted components were detected in modified TP-Link firmware images,” the researchers wrote. “However, they are written in a software-agnostic manner and are not specific to any product or vendor. As a result, they can be included in different software by different vendors.”