Chinese State-Sponsored Hackers Exploit Router Firmware to Establish Covert Communication Network

Chinese State-Sponsored Hackers Exploit Router Firmware to Establish Covert Communication Network In a significant discovery, researchers have unveiled the presence of malicious firmware capable of harnessing a wide range of residential and small office routers to form a network that covertly relays traffic to command-and-control servers operated by Chinese state-sponsored hackers. Check Point Research has exposed a firmware implant that includes a comprehensive backdoor, enabling attackers to establish communication channels, transfer files, issue remote commands, and manipulate uploaded and downloaded content. The implant was specifically identified in firmware images designed for TP-Link routers, although its adaptable nature allows for potential modification to target other router models.

The primary objective of the malware is to relay traffic between infected targets and the command-and-control servers in a manner that conceals the communication's origins and destinations. Subsequent analysis by Check Point Research identified the hackers operating the control infrastructure as associated with Mustang Panda, an advanced persistent threat actor known to be affiliated with the Chinese government, according to findings by Avast and ESET security firms.

During investigations into targeted attacks on European foreign affairs entities, researchers discovered the chief component of the implant—a backdoor named Horse Shell. Horse Shell encompasses three primary functions: a remote shell for executing commands on infected devices, file transfer capabilities for uploading and downloading files, and data exchange between two devices using the SOCKS5 protocol. The SOCKS5 functionality serves as the implant's ultimate purpose. By establishing an encrypted connection between the closest two nodes in a chain of infected devices, the true origin, ultimate destination, and purpose of the infection remain elusive to anyone who encounters these nodes. Check Point researchers emphasize that router implants are frequently installed on arbitrary devices without specific targeting, instead focusing on creating a chain of nodes between the main infections and the actual command and control servers.

The researchers highlight that infecting a home router does not indicate direct targeting of the homeowner; rather, it serves as a means to an end. These routers become a part of a larger infrastructure designed to facilitate covert communication and obfuscate the true intentions of the attackers.

The utilization of router firmware and the exploitation of router vulnerabilities to establish covert networks is not unprecedented. Similar techniques have been observed in previous campaigns, such as VPNFilter, which was attributed to the Kremlin-backed APT28 group, and other malware like ZuoRAT and Hiatus. These attacks have targeted routers from various manufacturers, leveraging known vulnerabilities or default credentials to compromise the devices.

The exact method by which the malicious implant is installed on devices remains uncertain. It is suspected that attackers exploit previously patched vulnerabilities or gain control through weak or default administrative credentials. Check Point researchers advise TP-Link users to verify the cryptographic hash of their firmware to detect potential infections. Although the current firmware image discovered targets TP-Link devices, the flexible architecture of the malware allows for adaptation to different hardware platforms.

Users concerned about potential infections can examine connections to the domain m.cremessage[.]com, check for modified "Upgrade Firmware" options in the router's admin panel UI, search for specific files like /vat/udhcp.cnf, /var/udhcp, and .remote_shell.log, and analyze outgoing packets using provided yara signatures. Additionally, proactive measures such as firmware patching and the use of strong passwords are crucial in mitigating the risk posed by such attacks.

Despite attempts to seek further information, TP-Link representatives have not yet responded to inquiries regarding the malware.