September 26, 2023

Researchers have spotted the Chinese state-sponsored APT group Mustang Panda, which has been associated with a series of targeted attacks exploiting TP-Link routers.

The campaign has been active since January and is aimed at European foreign affairs entities by using malicious firmware images that are designed explicitly for TP-Link routers. 

The implants contain a custom backdoor dubbed Horse Shell, which enables attackers to maintain persistent access, develop anonymous infrastructure, and lateral movement in compromised networks. 

Advertisements

The unique aspect of the backdoor implant is that it can be integrated into various firmware by different vendors, thus, increasing the scope of attacks.

The Horse Shell backdoor is written in C++ and compiled for MIPS32-based operating systems. The system information collected by Horse Shell includes user name, system name, OS version, OS time, CPU architecture, IP address, MAC address, and number of active connections.

The backdoor provides various functionalities, including remote Shell, Tunneling, and File transfer.

While the deployment of malicious firmware images is still unclear, it is estimated that the attackers gained access to routers by either scanning known vulnerabilities or using default and guessable passwords.

Advertisements

The discovery of Mustang Panda’s malicious implant on TP-Link routers highlights the need for enhanced endpoint security.

  • It is advised to change the default login credentials of devices connected to the internet to stronger passwords
  • Use multi-factor authentication whenever possible.
  • Make sure to regularly update routers and other device firmware to prevent attackers from exploiting vulnerabilities.

This research was documented by researchers from Checkpoint

Indicators of Compromise

  • 998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c
  • 7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a
  • ed3d667a4fa92d78a0a54f696f4e8ff254def8d6f3208e6fe426dbe7fb3f3dd0
  • 66cc81a7d865941cb32ed7b1b84b20270d7d667b523cab28b856cd4e85f135b6
  • 8a2e9f6c2b0c898090fdce021b3813313e73a256a5de39c100bf9868abc09dbb
  • da046a1fe6f3b94e48c24ffd341f8d97bfc06252ddf4d332e8e2478262ad1964
Tags:

Leave a Reply

You may have missed

Sony attack – Ransomed.vc claims responsibility

September 26, 2023

Chrome Zeroday – CVE-2023-4863 PoC Exploit Released

September 25, 2023

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023
%d bloggers like this: