A Chinese state-sponsored group known as Camaro Dragon has been launching cyber attacks on European foreign affairs entities, researchers found.
Researchers could not determine the exact target or the way the attack was launched, but traced the cyber attacks on European foreign affairs entities by Camaro Dragon to a firmware implant specifically made for TP-Link routers.
“The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware,” said the Check Point Research report.
The by Camaro Dragon cyber attacks on European foreign affairs entities aimed at stealing the username, system names, OS version, OS time, and CPU architecture of the target. Furthermore, it got access to the number of CPUs, RAM, MAC address, and number of active connections.
Cyber attacks on European foreign affairs entities: The details
A backdoor called Horse Shell to carry the stolen data from the European foreign affairs cyberattack by the Camaro Dragon group was found by researchers. Besides data exfiltration, Camaro Dragon used the backdoor for network tunneling which is also transferring data across the network.
It is estimated that several vendors and devices were at risk of cyberattacks based on the firmware-agnostic nature of the implanted components. Several cyberattacks on European countries have been tracked with reference to this research on Camaro Dragon.
The Horse Shell implant was written in C++. It was made for MIPS32-based OS.
A set of two modified TP-Link router firmware images were found to be altered so malicious components could be added to the original firmware. The firmware was for the TP-Link router model WR940N. Researchers compared the found hardware versions of v4 and v6 checking each component to see how the group implanted the system.
The uBoot and kernel of the firmware versions in question were found to be identical, which confirmed that Camaro Dragon did not tamper them. However, the file systems differed which led the researchers to compare each file to find the tampered ones.
In a message to users about maintaining proper cyber hygiene, the report read, “In the meantime, remember to keep your network devices updated and secured, and beware of any suspicious activity on your network — you never know who might be lurking in the dragon’s lair!”
The original firmware web interface (Photo: Check Point Research)
The following files were found to be added by the cybercriminals –
While these files were modified:
The modified version of the firmware has a CSS property inline found in the HTML form. Camaro Dragon used the display:none property that hid the form from the user. Hiding the HTML form did not remove it instead it made upgrading it difficult while being in the background.
The modification of the firmware allowed the group to transfer files discreetly among other functionalities.
The origin of Camaro Dragon
Check Point Research report found several spelling errors in the Horse Shell showing that the binary was left with several string artifacts and debug logs. The typos also indicated that the developers may not be native English speakers. Some often misspelled words were total spelled as tatal, field spelled as filed, and space spelled as space.
In the absence of clarity on the real targets of the European foreign affairs cyberattack by the Camaro Dragon threat actors, some inferences were made. Historically, router implants were installed on arbitrary systems to create a chain of nodes for a connection between the main infection and the C&C server.
The activities of the Camaro Dragon were also found similar to another Chinese state-sponsored cybercriminal called Mustang Panda.
Cyber attacks on European foreign affairs entities: Infirm firmware
A custom firmware image found in association with Camaro Dragon shows that the image had several malicious components, including an MIPS32 ELF implant, also called Horse Shell.
After the remote shell implant, attackers achieved three main targets. Hackers were able to execute arbitrary shell commands, upload and download options from infected routers, and send messages between clients via SOCK tunneling.
“The implant smartly integrated multiple open-source libraries in its code. Its remote shell is based on Telnet, events are handled by libev, it has libbase32 in it, ikcp too, and its list containers are based on TOR’s smartlist, implementation,” the research read.