HQ/EMEAFind out how we can help your business
Researchers have linked the Mustang Panda threat group to a new custom firmware implant that primarily infects and uses TP-Link routers. Based on reports, the implant includes several malicious components, including a custom backdoor called Horse Shell.
The backdoor could allow an attacker to establish persistent access, construct anonymous infrastructure, and move laterally across the infected networks. The implant operators could also integrate the backdoor into various firmware of different vendors due to its firmware-agnostic design.
However, the researchers have yet to identify the precise process, usage, and involvement of the backdoor to the tampered firmware imaged on the compromised routers. Experts suspect that actors acquired the initial access by exploiting known security vulnerabilities or brute-forcing devices with default or weak passwords.
The current campaign could allow the Mustang Panda group to execute several malicious activities.
An investigation confirms that the C++-based Horse Shell implant could allow the Mustang Panda group to run arbitrary shell commands, upload and download archives to and from the infected routers, and pass communication between two clients.
In addition, the router backdoor could allegedly target arbitrary devices on residential and home networks, meaning that the exploited routers are being co-opted into a mesh network to generate a chain of nodes between central infections and real C2.
Using a SOCKS tunnel, relaying communication between infected routers introduces a new set of layered anonymity and obfuscates the final server. Each node in the chain includes details about the nodes that precede and succeed it.
The method hides the origin and destination of the site visitor in a manner analogous to TOR. Hence, the process makes it much more challenging for threat analysis and researchers to take note of the scope of the attack and obstruct it from completion.
This exploit is not the first time China-backed threat groups have depended on a network of compromised routers to accomplish their strategic missions. If one node in the attack process fails, the group could still maintain communication with its command-and-control server by routing traffic through a different node in the attack chain.
