Chinese-Linked APT Mustang Panda Exploits TP-Link Routers Using Tailored Firmware Implant

Starting from January 2023, researchers from Check Point Research have monitored a series of precise assaults targeting European foreign affairs entities, which have been attributed to the cyberespionage group known as Mustang Panda, also identified as Camaro Dragon, RedDelta, or "Bronze President."

Mustang Panda, active since at least 2012, has previously focused its campaigns on American and European targets, including government organizations, think tanks, NGOs, and even Catholic establishments within the Vatican. Past operations primarily concentrated on Asian regions, such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In their 2022 campaigns, threat actors leveraged European Union and Ukrainian government reports regarding the conflict in Ukraine to entice victims. Upon opening these reports, the infection process commenced, leading to the deployment of malware on the victim's system. The implanted malware includes various components, including a custom backdoor referred to as "Horse Shell," facilitating attacker persistence, establishment of anonymous infrastructure, and enabling lateral movement within compromised networks.

Attackers integrate the Horse Shell backdoor into modified firmware, benefiting from its firmware-agnostic design, thereby enabling the targeting of diverse firmware employed by various vendors.

The backdoor encompasses the following primary functionalities:

1. Remote shell: Enables the execution of arbitrary shell commands on the compromised router.

2. File transfer: Facilitates the upload and download of files to and from the infected router.

3. SOCKS tunneling: Enables the relay of communication between different clients.

The researchers have yet to determine the precise method by which the firmware images are deployed onto the compromised routers. However, it is likely that the attackers exploit known vulnerabilities or employ brute-force techniques utilizing default or easily guessable passwords to gain access to the devices.

Experts believe that the attackers aim to create a chain of nodes between the main infections and the real command-and-control (C2) servers. To achieve this, they install the backdoor on various devices with no specific targeting, including residential and home networks. TP-Link routers, like many other models, offer a web interface for configuration and management. The management website features a manual firmware upgrade option. In the modified version of the firmware, a small CSS property was added to the HTML form, namely "display:none," which hides the form from users. Although users can still technically perform a manual firmware upgrade, it becomes more challenging and less obvious due to this modification. The malicious firmware image conceals the ability to flash another firmware image from the user.

The Horse Shell component communicates with its peers and the server using individually specified ports. The default port for communication is 80, and the component employs HTTP communication with hardcoded HTTP headers. The communication is encrypted using a custom or modified encryption scheme based on a Substitution-Permutation Network. Horse Shell can simultaneously communicate with multiple peers. The communication between infected routers relies on SOCKS tunneling to obfuscate the origin and destination of the traffic.

The network structure is resilient against takedowns or compromise of any single node within the chain, as traffic is routed through different nodes.

"Our discovery of the firmware-agnostic nature of the implanted components suggests that a wide range of devices and vendors may be at risk," concludes the report.