Threat Signal ReportCamaro Dragon APT Targets Foreign Affairs Organizations with Horse Shell Implants
Description
| What is Camaro Dragon? |
Camaro Dragon is an alleged Chinese threat actor that has a keen interest in the foreign affairs of organizations within Europe. Their activities show similarities with the Chinese "Mustang Panda" APT group.
|
| What is the Attack? |
Camaro Dragon targeted European foreign affairs organizations using the Horse Shell backdoor malware hidden in modified firmware for TP-Link routers. While the initial infection vector has not been identified, the threat actor likely exploited vulnerabilities in TP-Link routers or leveraged weak passwords.
The Horse Shell backdoor is capable of performing variety of tasks such as collecting system information and sending it to Command-and-Control (C2) servers, as well as - upload, download, create and delete files, and enumerate directories. |
| Why is this Significant? |
This is significant because the alleged China-based "Camaro Dragon" APT group that share similarities with the infamous Mustang Panda group, targeted various European foreign affairs organizations using TP-Link routers unknowingly installed with Horse Shell backdoor.
|
|
What is the Vendor Solution?
|
While initial infection vector has not been identified, the APT group likely exploited vulnerabilities in TP-Link routers or abused weak credentials. All available patches should be applied and login passwords to routers should be updated to stronger less vulnerable and easily guessed passwords. |
| What FortiGuard Coverage is available? |
FortiGuard Labs has the following AV signatures available for the malicious Horse Shell components called out in the report:
Network IOCs in the report are blocked by Webfiltering. |
✖
