Horse Shell Malware

A hacking group known as "Camaro Dragon," believed to be state-sponsored by China, has been found infecting residential TP-Link routers with a custom malware called Horse Shell. This attack campaign is specifically targeted at European foreign affairs organizations.

The hackers deploy this backdoor malware through customized and threatening firmware tailored for TP-Link routers. By doing so, they can carry out attacks that appear to originate from residential networks.

This type of attack targets regular residential and home networks. Therefore, the infection of a home router does not necessarily indicate that the homeowners themselves were a specific target; rather, their devices serve to facilitate the way for the attackers to achieve their goals.

Once the malware is deployed, the threat actors gain complete access to the infected device. This includes the ability to execute shell commands, upload and download files, and utilize the router as a SOCKS proxy to facilitate communication between devices.

The research discovered the Horse Shell TP-Link firmware implant in January 2023. They have observed that the hackers' activities overlap with another Chinese hacking group known as Mustang Panda, but they are tracking the threat actors under the separate Camaro Dragon name.

Horse Shell is Deployed via Unsafe TP-Link Firmware

According to the findings of the cybersecurity researchers, the attackers infect TP-Link routers by introducing a threatening firmware image. This may have been achieved by exploiting vulnerabilities in the router's software or by attempting to guess the administrator's credentials through brute-force methods.

Once the threat actor gains administrative access to the router's management interface, they have the capability to remotely update the device with the custom firmware image containing the Horse Shell malware.

Two samples of trojanized firmware images specifically designed for TP-Link routers have been discovered so far. These harmful firmware versions contain extensive modifications and additions to the original files.

In comparing the tampered TP-Link firmware with a legitimate version, the experts found that the kernel and uBoot sections were identical. However, the unsafe firmware incorporated a custom SquashFS filesystem that contained additional corrupted file components associated with the Horse Shell backdoor implant. Furthermore, the unsafe firmware also alters the management Web panel, effectively preventing the device owner from flashing a new firmware image onto the router as well as ensuring the persistence of the infection.

The Harmful Capabilities of the Horse Shell Implant

Once the Horse Shell backdoor implant is activated, it employs several techniques to ensure its persistence and covert operation. Firstly, it instructs the operating system not to terminate its process when certain commands, such as SIGPIPE, SIGIN or SIGABRT, are issued. Additionally, it converts itself into a daemon, allowing it to run silently in the background.

Next, the backdoor establishes a connection with the Command-and-Control (C2) server of the operation. It sends the victim's machine profile, which includes information such as the user name, operating system version, device details, IP address, MAC address and supported features of the implant.

Having completed the setup phase, Horse Shell patiently awaits instructions from the C2 server. It listens for three specific commands:

• Start a remote shell: This command grants the threat actors complete access to the compromised device, enabling them to execute commands and carry out unsafe activities.
• Perform file transfer activities: The backdoor facilitates the uploading and downloading of files, basic file manipulation, and directory enumeration, allowing the threat actors to manipulate data on the compromised device.
• Start tunneling: Horse Shell can initiate tunneling to obfuscate the destination and origin of network traffic. By hiding the C2 server address, this technique helps maintain the stealthiness of the attackers' operations.

Researchers note that the Horse Shell firmware implant is not limited to a distinct type of firmware but is firmware-agnostic. Therefore, in theory, it could potentially be used in firmware images for routers from various vendors.

The targeting of poorly secured routers by state-sponsored hackers is not surprising. Routers are often targeted by botnets for activities like distributed Denial-of-Service (DDoS) attacks or crypto-mining operations. These attacks take advantage of routers' often overlooked security measures, allowing the compromised devices to serve as inconspicuous launchpads for harmful activities while obscuring the origin of the attacker.