Malware Turns Home Routers Into Proxies For Chinese State-Sponsored Hackers

An anonymous reader quotes a report from Ars Technica: Researchers on Tuesday unveiled a major discovery -- malicious firmware that can wrangle a wide range of residential and small office routers into a network that stealthily relays traffic to command-and-control servers maintained by Chinese state-sponsored hackers. A firmware implant, revealed in a write-up from Check Point Research, contains a full-featured backdoor that allows attackers to establish communications and file transfers with infected devices, remotely issue commands, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. The well-written C++ code, however, took pains to implement its functionality in a "firmware-agnostic" manner, meaning it would be trivial to modify it to run on other router models.

The main purpose of the malware appears to relay traffic between an infected target and the attackers' command and control servers in a way that obscures the origins and destinations of the communication. With further analysis, Check Point Research eventually discovered that the control infrastructure was operated by hackers tied to Mustang Panda, an advanced persistent threat actor that both the Avast and ESET security firms say works on behalf of the Chinese government.

The researchers discovered the implant while investigating a series of targeted attacks against European foreign affairs entities. The chief component is a backdoor with the internal name Horse Shell. The three main functions of Horse Shell are: a remote shell for executing commands on the infected device; file transfer for uploading and downloading files to and from the infected device; and the exchange of data between two devices using SOCKS5, a protocol for proxying TCP connections to an arbitrary IP address and providing a means for UDP packets to be forwarded. The SOCKS5 functionality seems to be the ultimate purpose of the implant. By creating a chain of infected devices that establish encrypted connections with only the closest two nodes (one in each direction), it's difficult for anyone who stumbles upon one of them to learn the origin or ultimate destination or the true purpose of the infection. As Check Point researchers wrote: "Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control," Check Point researchers wrote in a shorter write-up. "In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal."

China

[Anonymous Coward]

Is anyone surprised that a Chinese router is compromised by Chinese hackers? Its almost as if the product was purpose built for it, then sold cheaply in places they want to hack. This is exactly why Huawei cannot play in the US. China is going to alienate itself from others this way.

Here's a thought

[A10Mechanic]

Without telling us the attack vector, or any ways to check for or to mitigate this vulnerability, the article is nothing more than clickbait. One would hope this is just a penalty for people too stupid to change their default password, but who can tell from that word vomit article.

Re:

[Mascot]

They can't tell you what they don't know. TFA states the deployment method is so far unknown, which leaves the usual suspects (user stupidity, exploiting known vulnerabilities, etc.).

Re: Here's a thought

[dknj]

Remember when your best friend got the subseven backdoor on their machine? No one knows how itâ(TM)s just there now you have to deal with it.

Same here, kee your shit protected and youâ(TM)ll be fine. Otherwise keep an eye out for rogue traffic

Re:

[drinkypoo]

"The implant came in the form of firmware images for TP-Link routers" in TFS told me all I needed to know, in that I am running openwrt on another brand of router so it has nothing at all to do with me.

The clever thing is to take the same or similar tack, and check for openwrt or similar compatibility before buying. Then roll your own custom images, stay up to date, and allow as little through as possible. You will have reasonable surety that you're not the one compromised pretty much no matter what the pro

Re:

[AmiMoJo]

Basically it's the same as the NSA network hardware implants. Requires physical access to install the firmware. They intercept the hardware during shipping or just sell it themselves through a fake retail company, and the customer has no idea what they bought isn't an unmolested Cisco/TP Link router.

It's difficult to remove because it is in the device's boot code, which is not changed by firmware updates. If you are concerned then the best option is to lift the flash memory chip from your router and program

Re:

[sabbede]

They updated with IOCs

Check connections to the domain m.cremessage[.]com

Check the admin panel UI for the modified "Upgrade Firmware"

Check for the presence of the files /vat/udhcp.cnf, /var/udhcp, and .remote_shell.log Check the outgoing packets from the router to see if they match the yara signatures in the post

Be sure to follow proactive mitigations like patching the version of the router, and using strong passwords

Re:

[bagofbeans]

Updating an existing DD-WRT image on a TP-Link router requires a different type of image than the initial TP-Link style image...

I enjoy taunting Chinese intelligence.

[Seven Spirals]

I have a server out there the Chinese have been attacking for years. It's an SGI IRIX box. It's a hardened box that only listens on TCP port 22 using OpenSSH 7.9. I have a lot of older systems like that online due to my job. I love how much it irritates people. Lots of folks lose their minds when they find out I've got anything that hasn't had "updates" on it in recently. "Having fun getting pwned." They are convinced that once something is "old" then it immediately has "vulnerabilities". They don't realize someone actually has to find some and create an exploit. I guess they also don't realize one can recompile newer OpenSSH and other tools with SSP flags etc... So, the Chinese think that my IRIX 6.5.30 machine must have pure government gold on it. They must believe it probably contains plans for a next-generation fighter jet or something. They absolutely pound on it and I have a Snort sensor shimed between it and the net so I can PCAP everything they do. It's been fun over the years updating the banner to say things like "Remember the Tiananmen Square massacre" or I go out and find banned words or phrases in Chinese their censors look for and stick it in my external ssh-banner (the latest one says "Insulting China" in Kanji script I'm told). The system only accepts PKI, lol. Good luck you Chinese geniuses you!

Re:

[beheaderaswp]

You know, speaking as a systems engineer with 30 years experience and some software and protocol credits to my name:

That's pretty dumb giving out that much info on a server. Revise: it's willfully stupid.

I'm going to wager that your server is the only (or maybe one of ten) servers on the internet that regurgitate banned Chinese phrases in Kanji.

So unless your server is a honeypot... you're an idiot.

Re:

[gweihir]

Yep, pretty much. Big ego does not for good skills make. An actually competent person would make that box give out as little as possible and probably also restrict IPs it even responds to at all.

Re:

[Seven Spirals]

Big ego does not for good skills make

Oh? Like NBA players, code gods like Carmack, MMA fighters, or pop-stars right? Oh wait... I guess you are full of shit. Big skills and big egos often end up in the same person. Of course, saying that you're full of shit because you cannot root-exploit a box with nothing but an IP stack and OpenSSH 7.9 isn't egotistical. It's just a simple fact. I mean if we are talking about you personally, I doubt you could perform a Konami-code on a console, much less put together an effective exploit for OpenSSH zero-da

Re:

[gweihir]

You think there cannot be exploits in a network stack or in OpenSSH? Well, talk about extreme cluelessness. Well done!

But you just nicely illustrated how utterly incompetent big-ego assholes routinely are. Thanks!

Re:

[Seven Spirals]

You think there cannot be exploits in a network stack or in OpenSSH?

Yeah, I'm just absolutely quaking over here. After 15 years of watching people a lot smarter than you fail, I'd say that's built up some confidence.

Re:

[gweihir]

Well, you are lucky nobody cares enough about you to actually invest the effort. Incidentally, I am not on the attacker side, no idea why you think I would be. Probably just more demonstration of a complete lack of insight.

Re:

[Seven Spirals]

You're still here? Came up with that 0day for OpenSSH yet, genius?

Re: I enjoy taunting Chinese intelligence.

[beheaderaswp]

Oh... I didn't realize you were running without a kernel

Now I get it. @rolleyes@

So at least somebody can write good code

[gweihir]

Another field where China is apparently beginning to leave large parts of the world behind.

Peopl are watching traffic

[akw0088]

Kind of unrelated, but I thought this was interesting. I have a headless server that I setup a cron job to wget a non-existent file on an AWS instance I have every hour. The idea being I can check the apache access logs and determine the server's IP in the case DHCP changes it's IP address. This also logs the agent (wget) as well as the operating system. No one should know this is occurring as no one has access to AWS or the headless server. I know the user agent and ip address ranges typically associated w

This is why

[flatulus]

... I'm building my own home router from a single board computer at this very moment. I just got the new Star64 SBC booting Linux. The Star64 has two on-board gigabit Ethernets, which is the main reason I chose it. FINALLY I can build an inexpensive home router without using an IBM PC board.

I can already see replies of "yeah, but it's running a Chinese designed and manufactured CPU!". True. But I'd be astounded if I found a CPU chip able to open back doors in my operating system on its own. There's