TP-Link routers implanted with malicious firmware in state-sponsored attacks

A Chinese state-sponsored APT group implanted malicious firmware into TP-Link routers as part of attack campaigns aimed at European foreign affairs entities, say Check Point researchers.

Custom malicious firmware for TP-Link routers

The malicious firmware was exclusively created for TP-Link routers. Among its many harmful components, there’s also a customized backdoor dubbed “Horse Shell.”

Horse Shell has three main functionalities:

• Remote shell – Gives threat actors full access to the infected device
• File transfer – Allows threat actors to upload and download files to and from the infected device
• SOCKS tunneling – Allows threat actors to obfuscate the origin and destination of the traffic and hide the C2 from defenders

The backdoor enables attackers to gain full control of the device, and stay hidden while accessing compromised networks.

“[The implanted components] were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors,” the researchers noted.

“In recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C&C infrastructures and to gain a foothold in certain targeted networks.”

Infection vector and targets: Unknown

The researchers are not sure how the attackers managed to infect the routers, but believe they likely gained access by exploiting known vulnerabilities or default, weak or easily guessable passwords.

Although the campaigns targeted European foreign affairs entities, researchers don’t know who the victims of the router implant are.

“Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control. In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal,” they explained.