Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:
* Remote shell: Execution of arbitrary shell commands on the infected router
* File transfer: Upload and download files to and from the infected router.
* SOCKS tunneling: Relay communication between different clients.
|2023-05-16 ⋅ Check Point Research ⋅ |
The Dragon Who Sold his Camaro: Analyzing a Custom Router Implant
There is no Yara-Signature yet.