SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.horseshell (Back to overview)

Horse Shell

Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:
* Remote shell: Execution of arbitrary shell commands on the infected router
* File transfer: Upload and download files to and from the infected router.
* SOCKS tunneling: Relay communication between different clients.

References
2023-05-16Check Point ResearchItay Cohen, Radoslaw Madej
@online{cohen:20230516:dragon:a2ec63b, author = {Itay Cohen and Radoslaw Madej}, title = {{The Dragon Who Sold his Camaro: Analyzing a Custom Router Implant}}, date = {2023-05-16}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/}, language = {English}, urldate = {2023-06-01} } The Dragon Who Sold his Camaro: Analyzing a Custom Router Implant
Horse Shell

There is no Yara-Signature yet.