Check Point Research (CPR) exposes a malicious firmware implant for TP-Link routers allowed attackers to gain full control of infected devices and access compromised networks while evading detection. CPR attributes the attacks to a Chinese state-sponsored APT group dubbed “Camaro Dragon”.
The firmware image contained several malicious components, including a custom MIPS32 ELF implant dubbed “Horse Shell”. In addition to the implant, a passive backdoor providing attackers with a shell to infected devices was found.
“Horse Shell”, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:
- Remote shell: Execution of arbitrary shell commands on the infected router
- File transfer: Upload and download files to and from the infected router.
- SOCKS tunneling: Relay communication between different clients.
Due to its firmware-agnostic design, the implant’s components can be integrated into various firmware by different vendors.
The deployment method of the firmware images on the infected routers is still unclear, as well as its usage and involvement in actual intrusions.