LR pixel

What is Camaro Dragon?

Camaro Dragon is an alleged Chinese threat actor that has a keen interest in the foreign affairs of organizations within Europe. Their activities show similarities with the Chinese “Mustang Panda” APT group.

What is the Attack?

Camaro Dragon targeted European foreign affairs organizations using the Horse Shell backdoor malware hidden in modified firmware for TP-Link routers. While the initial infection vector has not been identified, the threat actor likely exploited vulnerabilities in TP-Link routers or leveraged weak passwords.
The Horse Shell backdoor is capable of performing variety of tasks such as collecting system information and sending it to Command-and-Control (C2) servers, as well as – upload, download, create and delete files, and enumerate directories.

Why is this Significant?

This is significant because the alleged China-based “Camaro Dragon” APT group that share similarities with the infamous Mustang Panda group, targeted various European foreign affairs organizations using TP-Link routers unknowingly installed with Horse Shell backdoor.

What is the Vendor Solution?

While initial infection vector has not been identified, the APT group likely exploited vulnerabilities in TP-Link routers or abused weak credentials. All available patches should be applied and login passwords to routers should be updated to stronger less vulnerable and easily guessed passwords.

What FortiGuard Coverage is available?

FortiGuard Labs has the following AV signatures available for the malicious Horse Shell components called out in the report:
Linux/HorseShell.A!tr

Network IOCs in the report are blocked by Webfiltering.