A hacking group with ties to China has been found targeting edge routers in Southeast Asia by deploying a custom Linux implant, granting them extensive control over network traffic.
Critical Campaign with Extensive Reach
This campaign, marked as critically severe, goes beyond the initial compromised devices. Attackers install a malicious file named router.elf on border routers, transforming them into covert surveillance devices.
Once deployed, the implant establishes a connection back to servers controlled by the attacker through an encrypted channel, making detection by standard security tools difficult. This operation is designed to avoid detection by endpoint defenses entirely.
Strategic Targeting of Network Infrastructure
Researchers at Qiita discovered the intrusion, highlighting that the campaign strategically targets network infrastructure instead of individual computers. By controlling the router, attackers can monitor and manipulate all connected devices, posing a greater threat than typical malware infections.
The operation is particularly concerning due to its dual focus. The same group also compromised Windows computers within the networks, employing DLL sideloading to deploy additional hacking tools.
Evidence of Chinese Involvement
According to a report shared with Cyber Security News, multiple clues suggest a China-based origin. These include Mandarin language strings within the implant code, a hardcoded language setting of zh-CN, and a cracked hacking tool linked to China.
Once router.elf is active, it maintains a persistent connection to attacker servers using encrypted HTTPS traffic. To avoid detection, it uses Cloudflare’s DNS over HTTPS service, masking domain lookups as regular web traffic.
Furthermore, the malware uses iptables, a built-in Linux tool, to plant firewall rules on the router, redirecting DNS queries to servers controlled by the attackers. This allows manipulation of website visits, software updates, and targeted destinations using a dynamic list called evil_fix.
Windows Systems Also Affected
The campaign’s impact extends to Windows computers, where the attackers deployed a Cobalt Strike Beacon through DLL sideloading. A malicious file named version.dll is inserted under CrashReport.exe, and when this legitimate process runs, it loads the attacker’s payload.
The Beacon connects to the same command-and-control domains as the router implant, using identical web traffic patterns and timing, indicating a single coordinated espionage effort.
Security teams are urged to audit edge routers for unauthorized firewall rules, especially those redirecting DNS traffic to unknown IPs. Blocking listed domains and IPs at the firewall is recommended, along with scanning devices for router.elf and client_rc_start on Linux and version.dll on Windows.
Long-term security measures include enforcing firmware integrity monitoring, restricting management access with multi-factor authentication, and setting up alerts for firewall rule changes.
