Since January 2023, the China-linked cyberespionage group Mustang Panda has been carrying out targeted attacks against European foreign affairs entities using a custom firmware implant, according to Check Point Research.
Mustang Panda, also known as Camaro Dragon or “Bronze President,” has been active since at least 2012 and has previously targeted American and European government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican.
In their recent attacks, the threat actors utilized a custom firmware implant called Horse Shell, which includes a backdoor enabling persistence, anonymous infrastructure building, and lateral movement within compromised networks.
The Horse Shell backdoor, inserted into modified firmware by the attackers, is designed to be firmware-agnostic, allowing it to target various firmware from different vendors. The backdoor provides functionalities such as remote shell execution, file transfer capabilities, and SOCKS tunneling for relaying communication between different clients.
While the deployment method of the firmware images on the compromised routers remains unknown, it is believed that the attackers exploit known vulnerabilities or use weak passwords to gain access to the devices.
The ultimate goal of the threat actors is to create a chain of nodes between main infections and a real command-and-control (C2) server, utilizing arbitrary devices with no specific interest, including residential and home networks. The Horse Shell component communicates with its peers and server using a specified port, typically 80, and employs HTTP communication with custom headers.
The communication is encrypted using a modified encryption scheme based on the Substitution-Permutation Network. The network is designed to be resilient, ensuring that compromising a single node in the chain does not bring down the entire network.
The discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk. Users are advised to remain vigilant, update their firmware to the latest version, and implement strong passwords to protect against these targeted attacks.
