Researchers unveiled a major discovery on Tuesday: malicious firmware that can squeeze a wide variety of home and small office routers into a network that stealthily forwards traffic to command and control servers maintained by Chinese state-sponsored hackers.
A firmware implant, revealed in a Check Point Research article, contains a complete backdoor that allows attackers to establish communication and file transfers with infected devices, issue remote commands, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. However, the well-written C++ code struggled to implement the functionality in a “firmware-agnostic” way, meaning it would be trivial to adapt it to run on other router models.
Not the goal, only the means
The main purpose of the malware appears to be to reroute traffic between an infected target and the attackers’ command and control servers in a way that obscures the origins and destinations of the communications. After further analysis, Check Point Research eventually discovered that the operating infrastructure was controlled by hackers associated with Mustang Panda, an advanced persistent threat actor that both security companies Avast and ESET say work on behalf of the Chinese government.
“Learning from history, router implants are often installed on random devices of no particular importance, with the aim of creating a chain of nodes between the main infections and real command and control,” the Check Point researchers wrote in a shorter description. . “In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are merely a means to an end.”
The researchers discovered the implant while investigating a series of targeted attacks against European foreign affairs entities. The main part is a back door with the internal name Horse Shell. The three main functions of Horse Shell are:
- A remote shell for running commands on the infected device
- File transfer for uploading and downloading files to and from the infected device
- The exchange of data between two devices using SOCKS5, a protocol for proxying TCP connections to any IP address and providing a way to forward UDP packets.
The SOCKS5 functionality appears to be the ultimate goal of the implant. By creating a chain of infected devices that establish encrypted connections to only the closest two nodes (one in each direction), it is difficult for anyone who encounters any of them to determine the origin or ultimate destination or true purpose of the detect infection. As Check Point researchers wrote:
The implant can relay communication between two nodes. By doing this, the attackers can create a chain of nodes that forward traffic to the command and control server. By doing this, the attackers can hide the last command and control, as each node in the chain only has information about the previous and next nodes, with each node being an infected device. Only a handful of nodes know the identity of the final command and control.
By using multiple layers of nodes to tunnel communications, threat actors can obscure the origin and destination of the traffic, making it difficult for defenders to trace the traffic back to the C2. This makes it more difficult for defenders to detect and respond to the attack.
In addition, a chain of infected nodes makes it more difficult for defenders to disrupt communication between the attacker and the C2. If a node in the chain is compromised or removed, the attacker can still maintain communication with the C2 by routing traffic through another node in the chain.