Security News > 2023 > May > Chinese state-sponsored attack uses custom router implant to target European governments

The threat actor uses a custom implant to compromise a specific TP-Link router model and steal information from it, as well as provide backdoor access to the attackers.

"Horse Shell" implant found in TP-Link router firmware.

During their analysis of Camaro Dragon, the researchers discovered a large number of files used in their attacks, with two of them being TP-Link firmware images for the WR940 router model released around 2014.

The attackers added the execution of three of the files they added on the firmware's file system so it would be executed each time the operating system restarts, ensuring the persistence of the implant on the compromised router.

In 2018, with the Slingshot APT, attackers exploited a vulnerability in Mikrotik routers to plant malware on it with the goal of infecting the router administrator and moving forward with their attack.

Last month, Russian threat actor APT28 exploited a Cisco router vulnerability to target U.S. government institutions and other organizations in Europe and Ukraine.

News URL

https://www.techrepublic.com/article/attack-custom-router-impant-target-european-governments/