Investigating an “evil” RJ45 dongle

Reverse-engineering hardware can be difficult — but sometimes, all you need is a comfy armchair and some Google Translate.

“Evil” RJ45 Dongle: A Social Media Stir

Earlier this week, a young entrepreneur sparked a social media frenzy by suggesting that an Ethernet-to-USB dongle purchased from China was preloaded with malware. Claims included malware that “evaded virtual machines,” “captured keystrokes,” and contained “Russian-language elements.”

Dissecting the Claims

The revelations captured millions of views, despite the hazy details. The entrepreneur shared an ambiguous antivirus scan report from Crowdstrike Falcon, which appeared to be misleading. The reported binary was a self-extracting EXE made using 7-Zip, an open-source archiver created by Igor Pavlov, whose nationality accounted for the “Russian-language elements.” Additionally, the archive matched a signed, publicly-available driver for an RJ45-to-USB chip produced by CoreChips Shenzhen, also known as Corechip Semiconductor.

Unveiling the Truth

The driver referenced a chip named SR9900, speculated to be a clone of the Realtek RTL8152B. Despite limited information on the chip, its lineage traces back to a 2013 design supporting 100BASE-TX and USB 2.0, reminiscent of Windows 7-era devices. The dongle’s use of an internal mass storage approach for driver delivery was not unusual for that period.

Malicious Hardware: A Reality Check

While malicious hardware has been used by intelligence agencies and private pentesters, this particular instance did not suggest foul play. The original teardown photos highlighted a PCB with a serial flash IC, leaving some questions unanswered. Further investigation revealed that the SR9900 chip supports optional use of SPI flash, acting as a virtual CD-ROM to install drivers.

Conclusion: A Predictable Outcome

Ultimately, the investigation confirmed that unusual does not equate to malicious. The SR9900’s optional use of flash memory for driver storage aligns with historical practices, and no lab or advanced techniques were necessary to discern this. While the internal microcontroller cores remain unexamined, there is no immediate cause for alarm.

Should You Be Concerned?

For most users, the risk of being targeted with a malicious RJ45-to-USB dongle is minimal. However, individuals in sensitive positions, such as scientists in critical programs or CISOs in strategic businesses, might need to exercise greater caution.

If you enjoyed this article, consider subscribing to stay informed without the distractions of traditional social media.