Researchers from Check Point Research have discovered a new piece of malware that can turn home routers into proxies for Chinese state-sponsored hackers. The malware, known as “Horse Shell,” is a firmware implant that can be installed on TP-Link routers. Once installed, Horse Shell gives the attacker full control over the router, including the ability to intercept and modify traffic, steal data, and launch denial-of-service attacks.
Horse Shell effectively turns infected routers into a relay traffic command-and-control node to funnel traffic back to Chinese state-sponsored hackers.
Check Point Research believes that Horse Shell is the work of the Mustang Panda APT group, which is a Chinese state-sponsored hacking group. Mustang Panda has been linked to a number of high-profile cyberattacks in recent years, including attacks on the US Department of State and the European Union.
The discovery of Horse Shell is a reminder that even home routers are not immune to cyberattacks. Users should take steps to secure their routers, such as using strong passwords and keeping the firmware up to date.
How does TP-Link Horse Shell malware work?
- Horse Shell is a firmware implant, which means that it is installed on the router’s internal memory. This makes it more difficult to detect and remove than traditional malware that is installed on the router’s operating system.
- Horse Shell gives the attacker full control over the router. This includes the ability to intercept and modify traffic, steal data, and launch denial-of-service attacks.
- Check Point Research believes that Horse Shell is the work of the Mustang Panda APT group. Mustang Panda is a Chinese state-sponsored hacking group that has been linked to a number of high-profile cyberattacks in recent years.
How to check if your TP-Link router is infected with Horse Shell
In an update provided to ArsTechnica, Check Point recommended owners of TP-Link routers perform the following actions if they are concerned about possible infection:
- Check connections to the domain m.cremessage[.]com
- Check the admin panel UI for the modified “Upgrade Firmware”
- Check for the presence of the files /vat/udhcp.cnf, /var/udhcp, and .remote_shell.log
- Check the outgoing packets from the router to see if they match the yara signatures in the post
- Be sure to follow proactive mitigations like patching the version of the router, and using strong passwords
TP-Link representatives apparently have not responded at all to any of ArsTechnica’s requests for comment or guidance.
