Malware Turns Home Routers Into Proxies For Chinese-Backed hackers
On Tuesday, checkpoint researchers unveiled a significant discovery: A malicious firmware can connect a wide network of residential and small office routers to a network that can stealthily relay traffic to control servers upheld by Chinese-backed hackers.
Discoveries
The firmware implant contains a fully-featured backdoor that authorizes threat actors to establish communications and file transfers with infected devices, remotely issue commands, and upload, download, and delete files.
However, the main objective of the malware turns up to relay traffic between an infected target and the attackers’ base and control servers in a way that conceals the source and destinations of the communication.
With further analysis, CheckPoint Research ultimately tracked down that the hackers linked to Mustang Panda utilized the control infrastructure, an advanced threat actor that both the Avast and ESET security confirms works on behalf of the Chinese government.
Researchers Uncover Hackers Tracks
The researchers found the implant while scrutinizing a series of targeted attacks against European foreign liaison entities. The main feature is a backdoor with the internal name Horse Shell.
Furthermore, The implant can deliver timely communication between two nodes. By doing so, the threat actor can create a chain of nodes that will deliver traffic to the command and control server.
Moreover, the hackers have the final command and control, since every node in the chain has data on the previous and next nodes, each node being an infected device. Only a handful of nodes will comprehend the essence of the final command and control.
Additionally, By using multiple layers of nodes to pass communication, threat actors can conceal the source and destination of the traffic, complicating its difficulty for defenders to track the traffic back to the C2. making it much harder for defenders to catch a glimpse of and respond to the attack.
A Chain of infected nodes creates complications for defenders to fend off the attacker and the C2. If one node in the chain is taken down, the attacker can still sustain communication with the C2 by routing traffic using a different node in the chain.