This malware turns your router into a proxy for Chinese hackers

New malware in the form of malicious firmware hides endpoints from hackers, following in the footsteps of VPNFilter.

On Tuesday, a major discovery was unveiled by researchers: malware in the form of malicious firmware capable of infiltrating various residential and small business routers. This clandestine network discreetly redirects traffic to servers controlled by Chinese state-backed hackers. The implant, discovered by Check Point Research, offers a complete backdoor. It facilitates communications, file transfers, remote commands and flexible modifications to adapt to other router models.

Sophisticated Attack Techniques

The malware aims to hide the origins and destinations of communication by relaying traffic. This is done between an infected target and the attackers’ command and control servers. Indeed, the control infrastructure is exploited by attackers associated with Mustang Panda, a persistent threat actor operating for the chinese government.

While investigating targeted attacks against European foreign affairs entities, researchers discovered this implant. The main backdoor, named Horse Shell, allows remote command execution and file transfer. It also facilitates data exchange between two devices using the SOCKS5 protocol.

The true purpose of the implant is SOCKS5 functionality. By establishing encrypted connections between the nearest infected devices, it becomes difficult to trace the origin or the final destination of the infection. Thus, attackers can hide true command and control, with each node in the chain only aware of the preceding and succeeding nodes.

Through the use of multiple layers of nodes, hackers mask the origin and destination of traffic. This makes traceability difficult for defenders, thus complicating their task of detecting and tracking. Moreover, a chain of infected nodes makes it difficult to disrupt communication between the attacker and C2. This is due to the ability to route traffic through other nodes if a node is compromised or disabled.

This sophisticated approach makes it harder to detect and respond to attacks, giving attackers greater stealth. It also gives them an increased ability to maintain persistent control over compromised networks.

Malicious actors use malware to hide control servers

Malicious actors often use routers and IoT devices to hide their control servers and proxy traffic. For example, the VPNFilter attack touched over 500,000 network devices, while the malware ZuoRat targeted different routers. During their research, Check Point experts discovered a malicious implant called Horse Shell. This implant allows remote execution of commands, file transfer and data exchange via the SOCKS5 protocol. Infection methods remain unknown, but attackers are likely exploiting vulnerabilities and weak passwords. Therefore, router users TP-Link are invited to check their firmware to detect any potential infection.

Collaboration between security researchers and manufacturers is essential to address these threats. It makes it possible to strengthen network security and to better face current challenges. In staying vigilant and keeping their devices up to date, users can better protect themselves against attacks. This is especially important when it comes to preventing attacks targeting routers and Internet of Things devices. Moreover, it is essential to continue to make efforts to improve the detection, prevention and response to attacks. This is necessary to maintain the integrity and security of our ever-changing digital infrastructures. By working together, we can build our resilience against these growing challenges and protect our networks from malicious activity.