Security News > 2023 > May > Chinese state-sponsored attack uses custom router implant to target European governments
The threat actor uses a custom implant to compromise a specific TP-Link router model and steal information from it, as well as provide backdoor access to the attackers.
"Horse Shell" implant found in TP-Link router firmware.
During their analysis of Camaro Dragon, the researchers discovered a large number of files used in their attacks, with two of them being TP-Link firmware images for the WR940 router model released around 2014.
The attackers added the execution of three of the files they added on the firmware's file system so it would be executed each time the operating system restarts, ensuring the persistence of the implant on the compromised router.
In 2018, with the Slingshot APT, attackers exploited a vulnerability in Mikrotik routers to plant malware on it with the goal of infecting the router administrator and moving forward with their attack.
Last month, Russian threat actor APT28 exploited a Cisco router vulnerability to target U.S. government institutions and other organizations in Europe and Ukraine.
News URL
https://www.techrepublic.com/article/attack-custom-router-impant-target-european-governments/
Related news
- Chinese hackers targeted sanctions office in Treasury attack (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- UAC-0063 Expands Cyber Attacks to European Embassies Using Stolen Documents (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services (source)