China-Linked Hackers Deploy Custom Linux Implant to Hijack Southeast Asian Edge Routers
A sophisticated cyber espionage campaign attributed to a China-linked threat actor has been identified targeting edge routers across Southeast Asia. The attackers deploy a custom-built Linux implant, granting them extensive control over network traffic and enabling deep surveillance capabilities.
Infiltration Tactics and Implant Deployment
The campaign’s severity is underscored by its strategic focus on compromising network infrastructure rather than individual devices. By installing a malicious file named `router.elf` directly onto border routers, the attackers transform these devices into covert surveillance nodes. This approach allows them to monitor and manipulate all data traversing the network, posing a significant threat to organizational security.
Once the implant is operational, it establishes an encrypted communication channel with attacker-controlled servers, effectively evading detection by standard security tools. The implant’s design emphasizes stealth, ensuring prolonged undetected access to compromised networks.
Indicators of Chinese Involvement
Analysts have identified several indicators pointing to a China-based origin for this campaign. These include Mandarin language strings embedded within the implant’s code, a hardcoded language setting of `zh-CN` in its communication profile, and the use of a cracked hacking tool with a license ID consistently associated with China-linked operations.
Technical Mechanisms of the Implant
Upon installation, `router.elf` initiates a persistent connection to attacker servers over encrypted HTTPS traffic on port 443. To circumvent DNS monitoring tools, it routes domain lookups through Cloudflare’s DNS over HTTPS service, disguising malicious activity as legitimate web traffic. This evasion technique enhances the implant’s stealth and longevity within the network.
The malware also manipulates firewall rules on the router using the Linux tool `iptables`. By redirecting all DNS queries from devices behind the router to attacker-controlled servers, the hackers can manipulate web traffic, intercept software updates, and target specific destinations using a dynamic list referred to as `evil_fix`. Additionally, a secondary backdoor named `client_rc_start` is installed to ensure continued access, even if the primary payload is removed.
Expansion to Windows Endpoints
The campaign extends beyond router compromise, targeting Windows computers within the same networks. The attackers deploy a Cobalt Strike Beacon—a well-known hacking framework—through DLL sideloading. By placing a malicious file named `version.dll` into a folder under `CrashReport.exe`, the legitimate process inadvertently loads the attacker’s payload, further expanding their control within the network.
Broader Context of Chinese Cyber Operations
This campaign is part of a broader pattern of Chinese state-sponsored cyber activities targeting network infrastructure. For instance, the FishMonger APT group, operating under the Chinese company I-SOON, has systematically targeted government institutions and NGOs across Southeast Asia and parts of Europe since at least 2021. Their attacks involve sophisticated phishing campaigns and custom malware designed to exfiltrate sensitive diplomatic and policy-related information. ([cybersecuritynews.com](https://cybersecuritynews.com/chinese-fishmonger-apt-operated-by-i%E2%80%91soon/?utm_source=openai))
Additionally, the PlushDaemon group has been weaponizing a tool called EdgeStepper to intercept legitimate software updates, redirecting them to malicious servers. This technique allows the injection of malware directly into what users believe are authentic update installations from trusted software vendors. Targets have included individuals and organizations in the United States, Taiwan, China, Hong Kong, New Zealand, and Cambodia. ([cybersecuritynews.com](https://cybersecuritynews.com/chinese-plushdaemon-hackers-use-edgestepper-tool/?utm_source=openai))
Implications and Recommendations
The targeting of edge routers signifies a strategic shift in cyber espionage tactics, focusing on network infrastructure to gain comprehensive access to organizational communications. This method allows attackers to monitor, manipulate, and exfiltrate data with minimal risk of detection.
Organizations are advised to implement the following measures to mitigate such threats:
1. Regular Firmware Updates: Ensure that all network devices, especially routers, are running the latest firmware versions to patch known vulnerabilities.
2. Network Segmentation: Divide networks into segments to limit the spread of malware and unauthorized access.
3. Enhanced Monitoring: Deploy advanced monitoring tools capable of detecting anomalous network traffic patterns indicative of compromise.
4. Access Controls: Implement strict access controls and authentication mechanisms to prevent unauthorized access to network devices.
5. Incident Response Planning: Develop and regularly update incident response plans to swiftly address potential breaches.
By adopting these proactive measures, organizations can strengthen their defenses against sophisticated cyber threats targeting network infrastructure.
