Researchers on Tuesday unveiled a major discovery—malicious firmware that can wrangle a wide range of residential and small office routers into a network that stealthily relays traffic to command and control servers maintained by Chinese state-sponsored hackers.
A firmware implant, revealed in a write-up from Check Point Research, contains a full-featured backdoor that allows attackers to establish communications and file transfers with infected devices, remotely issue commands, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. The well-written C++ code, however, took pains to implement its functionality in a “firmware-agnostic” manner, meaning it would be trivial to modify it to run on other router models.
Not the ends, just the means
The main purpose of the malware appears to relay traffic between an infected target and the attackers’ command and control servers in a way that obscures the origins and destinations of the communication. With further analysis, Check Point Research eventually discovered that the control infrastructure was operated by hackers tied to Mustang Panda, an advanced persistent threat actor that both the Avast and ESET security firms say works on behalf of the Chinese government.
“Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control,” Check Point researchers wrote in a shorter write-up. “In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal.”
The researchers discovered the implant while investigating a series of targeted attacks against European foreign affairs entities. The chief component is a backdoor with the internal name Horse Shell. The three main functions of Horse Shell are:
- A remote shell for executing commands on the infected device
- File transfer for uploading and downloading files to and from the infected device
- The exchange of data between two devices using SOCKS5, a protocol for proxying TCP connections to an arbitrary IP address and providing a means for UDP packets to be forwarded.
The SOCKS5 functionality seems to be the ultimate purpose of the implant. By creating a chain of infected devices that establish encrypted connections with only the closest two nodes (one in each direction), it’s difficult for anyone who stumbles upon one of them to learn the origin or ultimate destination or the true purpose of the infection. As Check Point researchers wrote:
The implant can relay communication between two nodes. By doing so, the attackers can create a chain of nodes that will relay traffic to the command and control server. By doing so, the attackers can hide the final command and control, as every node in the chain has information only on the previous and next nodes, each node being an infected device. Only a handful of nodes will know the identity of the final command and control.
By using multiple layers of nodes to tunnel communication, threat actors can obscure the origin and destination of the traffic, making it difficult for defenders to trace the traffic back to the C2. This makes it harder for defenders to detect and respond to the attack.
In addition, a chain of infected nodes makes it harder for defenders to disrupt the communication between the attacker and the C2. If one node in the chain is compromised or taken down, the attacker can still maintain communication with the C2 by routing traffic through a different node in the chain.
Remember VPNFilter, ZuroRat, and Hiatus?
Using routers and other so-called Internet of Things devices to conceal control servers and covertly proxy traffic is among the oldest tricks in threat actor tradecraft. Among the best-known examples of other hacking campaigns borrowing this page from the playbook include one discovered in 2018 that used VPNFilter. The malware was created by the Kremlin-backed APT28 (also known as Fancy Bear) and was found infecting more than 500,000 networking devices made by Linksys, Mikrotik, Netgear, TP-Link, and QNAP. VPNFilter provided a variety of functions, chief of which was enabled by a “socks5proxy” module that turned the compromised device into a SOCKS5 virtual private network proxy server.
Similar examples include malware called ZuoRAT, which was discovered last year infecting a large number of routers made by Cisco, Netgear, Asus, and DrayTek. Earlier this year, researchers unearthed Hiatus, a sophisticated hacking campaign that turned high-bandwidth routers from manufacturer DrayTek SOCKS proxies.
Check Point researchers still don’t know how the malicious implant gets installed on devices. A likely bet is that the threat actors are either exploiting vulnerabilities in the devices or searching the Internet for devices that are protected by weak or default administrative passwords.
While the only firmware image discovered so far runs only on TP-Link devices, there’s nothing stopping the threat actors from creating images that run on a much wider range of hardware. This cross-platform capability results from the implant architects integrating multiple open source libraries into their code. Libraries include Telnet for the remote shell, libev to handle events, libbase32 for encoding and decoding base32 binary data, and a list of containers that are based on the TOR smartlist.
Other inspiration may have come from projects, including the Shadowsocks-libev server and the udptun UDP tunnel. The HTTP headers used were taken from open source repositories.
“The implanted components were discovered in modified TP-Link firmware images,” the researchers wrote. “However, they were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors.”