Chinese APT taps trojanised routers for mystery purposes
Horse Shell has a "penchant for complex structures" (and simple errors)
Security researchers at Check Point say that they encountered a unique new malicious router firmware implant dubbed “Horse Shell” that they believe to be being deployed by a Chinese threat group for unknown purposes.
The Horse Shell implant is tailored to abuse TP-Link home router firmwarew, written in C++, and compiled for MIPS32-based operating systems (mainly used in networking equipment like modems, routers, switches etc.)
It gives three main functionalities.
- Remote shell — Execution of arbitrary shell commands on the infected router
- File transfer — Upload and download files to and from the infected router.
- SOCKS tunneling — Relay communication between different clients.
Somewhat unusually, every communication by the implant is encrypted using a custom or modified encryption scheme that is based on Substitution-Permutation Network; if they are building a botnet, it is a faintly odd one.
Check Point’s researchers admit openly that they have not got the foggiest clue what the initial threat vector was to land the implant on the routers nor indeed what the group behind it is intending – they stumbled across it whilst “analyzing sophisticated attacks targeting officials in multiple European countries” and it may be entirely unrelated to that campaign, although Horse Shell was found on the same group's attacking infrastructure.
The first thing they found was a simple password-protected shell binary that will bind to all IPv4 network interfaces on port 14444 and they note wryly that "the password can be revealed with the highly advanced, exceedingly unique tool called strings
. Should you require the password, simply run the following command:
$ strings shell [..] password: J2)3#4G@Iie success! /bin/sh [..]
👆 Well, that's handy...
Follow The Stack on LinkedIn
Check Point says “the goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest” – with the malware having “smartly integrated multiple open-source libraries in its code. Its remote shell is based on Telnet, events are handled by libev, it has libbase32 in it, ikcp too, and its list containers are based on TOR’s smartlist, implementation” to power its capabilities.
The attackers modified two existing files and added four new ones to the router firmware (the actual design of the malware is firmware-agnostic and could/may be integrated into firmware from different vendors.) It calls its C2 network regularly with a host of information on each endpoint, including what Check Point said was the:
- System name
- OS version
- OS time
- CPU architecture
- Number of CPUs
- Total RAM
- IP address
- MAC address
- Features supported by the implant (remote shell, tunneling, file transfer)
- Number of active connections
“Horse Shell’s functionality isn’t groundbreaking, but certainly not run-of-the-mill either,” Check Point said
“However, its reliance on libev to create a complex event-driven program, and its penchant for complex structures and list containers, make our job of analyzing it all the more challenging. But, let’s not mince words – the code quality is impressive, and the implant’s ability to handle multiple tasks across a range of modules and structures demonstrates the kind of advanced skills that make us stand up and take notice…”
The activity Check Point said it analysed has “significant overlaps with activities publicly disclosed by Avast and Eset, linking it to the Chinese-affiliated APT group ‘Mustang Panda’ and – for all the developers’ sophistication – they also found that, arguably clumsily from a state-backed threat actor – an IP address (91.245.253[.]72) to which Horse Shell’s C&C resolves to is listed on Avast’s report on their analysis of the Mustang Panda campaign.
Peculiar.
See the full breakdown here.