Camaro Dragon exploits TP-Link routers

June 6, 2023 - TuxCare PR Team

Check Point Research published a report on the activities of Camaro Dragon, a Chinese state-sponsored advanced persistent threat (APT) group that was using a customized implant to compromise a specific model of TP-Link routers.

The researchers discovered a treasure trove of files used in Camaro Dragon’s harmful attacks when examining the group’s techniques. Notably, two of these files were TP-Link firmware images for the WR940 router model, which was first introduced in 2014. These implant files were clearly used in a focused assault effort particularly targeting European Foreign Affairs organisations.

Check Point discovered crucial file system changes by meticulously comparing illegal files to authentic firmware images for the TP-Link WR940 router. Four files were added to the firmware, and two existing files were updated to flawlessly run the malicious implant.

The attackers modified with the SoftwareUpgradeRpm.htm file, which is a valid component of the firmware that can be accessed via the router’s web interface. Because the changed version essentially hides the firmware update option, administrators are unable to execute manual upgrades.The second finding involves tampering with the file /etc/rc.d/rcS, which is part of the operating system’s starting procedures. The threat actors included the execution of three extra files within the firmware’s file system, guaranteeing the implant’s persistence even after the system was restarted.

One of the files executed during the boot sequence is /usr/bin/shell, which acts as a password-protected bind shell on port 14444. This means that gaining access to the shell requires providing the correct password. Notably, a swift examination of the file uncovered the password (J2)3#4G@Iie), which was stored in clear text.

Another file of interest, /usr/bin/timer, serves as an extra layer of persistence for the attackers. Its sole purpose is to ensure that /usr/bin/udhcp remains operational, with the latter file serving as the primary implant. Dubbed Horse Shell by Check Point Research, the main malicious implant, /usr/bin/udhcp, operates as a daemon in the background and provides the attackers with three key functionalities: remote shell capabilities, file transfer abilities, and tunneling.

Furthermore, the /usr/bin/sheel file plays a crucial role in writing and reading a C2 (command-and-control) configuration, which it stores in a separate partition of the compromised device. By directly interacting with a block device, the file aims to evade detection and escape the notice of administrators.

Once executed, the udhcp implant actively collects and transmits various data points to its C2 server, including user and system names, operating system version and time, CPU architecture and count, total RAM, IP and MAC addresses, supported implant features (remote shell, file transfer, and tunneling), and the number of active connections.

Check Point Research suggests that the inclusion of CPU architecture and supported functionalities in the transmitted data indicates the possibility of the attackers having other versions of the malware tailored for different devices and functionalities.

The sources for this piece include an article in TechRepublic.

Summary