May 23rd, 2023

The Rise of the Dragon

By AC on Peakhour

The landscape of cyber threats is constantly changing. Recently, a group sponsored by the Chinese state, known as Camaro Dragon, has developed a new type of malware. This custom firmware implant targets TP-Link routers and transforms them into residential proxies. This method challenges traditional cyber-defences, like GeoIP blocking. This article will explore the complexity of this malware, the impact of residential proxies on enterprise security, and its potential to bypass GeoIP security measures.

Understanding the New Malware

Check Point’s research reveals that Camaro Dragon has launched sophisticated attacks on European foreign affairs entities. The group uses a custom firmware implant, known as ‘Horse Shell’, designed specifically for TP-Link routers. This malware includes a backdoor that grants the attackers continuous access to compromised networks and allows them to construct anonymous infrastructures.

‘Horse Shell’ can perform various actions on the infected router, such as executing arbitrary commands, transferring files, and relaying communications using SOCKS tunneling. Its flexible design allows it to adapt to different vendors’ firmware, suggesting the possibility of a wider spread.

The People and Intentions Behind The Malware

Investigations into the origin of the ‘Horse Shell’ malware by security firms such as Check Point Research, Avast, and ESET point to a well-known cyber threat actor: Mustang Panda. This Advanced Persistent Threat (APT) group, linked to the Chinese government, is known for complex attacks, often exploiting Internet-facing network devices.

The primary function of ‘Horse Shell’ is to relay traffic between an infected device and the attackers’ command and control servers. This method obscures the true source and destination of the communication, making it difficult to trace back to the attackers.

Importantly, Mustang Panda seems to indiscriminately choose targets for router implants. The infection of a home router doesn’t imply that the homeowner is a specific target. Instead, each infected router becomes a node in a broader chain that connects main infections to command and control operations.

Researchers discovered this approach when they found the ‘Horse Shell’ implant during an investigation of targeted attacks against European foreign affairs entities. The implant allows the attackers to maintain ongoing access, establish anonymous infrastructure, and move laterally within compromised networks.

The Implications of Residential Proxies

Residential proxies serve as intermediaries, utilising real IP addresses issued by Internet Service Providers (ISPs). They are used across a range of applications such as data gathering via web scraping for businesses and anonymising user online activity.

However, residential proxies also have a darker side, particularly when exploited by malware such as ‘Horse Shell’. This malware infects routers, transforming them into a network of residential proxies, which can then be manipulated for malicious activities like data breaches and distributed denial-of-service (DDoS) attacks.

Most importantly, this exploitation can create residential proxies that make an attack seem as if it’s originating from a domestic source within the target’s location. This deceit undermines traditional cyber-defences.

GeoIP Security Measures and Their Limitations

GeoIP blocking, a traditional cybersecurity tool, works by limiting access from specific geographical regions or networks frequently associated with cyber threats. However, this method is becoming less effective against the rising use of residential proxies.

Residential proxies can disguise the actual origin of a cyber attack, giving the illusion that it’s originating from a trusted, usually local, location. This capability allows them to effectively bypass GeoIP blocking measures. Consequently, malicious actors leveraging residential proxies can carry out their activities under the cloak of anonymity, often undetected.

A key point to note is the exploitation of home routers by malware like ‘Horse Shell,’ which turns these devices into unwitting participants in cyberattacks. This manipulation means an attack could appear to originate from a seemingly trusted domestic source, thus rendering GeoIP blocking ineffective.

This emerging threat underscores the pressing need for a more layered and nuanced approach to cybersecurity. The days when sole reliance on GeoIP blocking was sufficient are now past us. Given the evolution of malware that exploits residential proxies, our detection and defense strategies also need to adapt. Specifically, it’s crucial to recognize that relying solely on GeoIP blocking, or trusting local connections and deny-listing countries like Russia and China, can create a false sense of security.

Detecting Residential Proxies: The Role of Network Fingerprinting

The rise of residential proxy malware underscores the importance of network fingerprinting in identifying such threats. Here are five techniques that can aid in detecting residential proxies:

  1. TCP Fingerprinting: Proxied requests may generate TCP fingerprints that don’t match the expected device type. For example, a request emanating from a residential IP address, yet bearing the fingerprint of a server OS, could be a telltale sign of a proxy.
  2. TLS and HTTP/2 Signatures: Similar to TCP fingerprints, unusual TLS and HTTP/2 signatures could reveal proxies. An incoming request utilizing a version of TLS or HTTP/2 not commonly used in residential networks might indicate a proxy at work.
  3. JavaScript-based Fingerprinting: This method identifies the specific browser being used. Any discrepancies in JavaScript fingerprints (or lack of a fingerprint) could suggest the presence of a residential proxy.
  4. Timing Analysis: The timing of requests can also be a giveaway. Proxied requests might exhibit longer or inconsistent intervals between requests, indicating a residential proxy.
  5. Port Scanning: This technique can detect open ports that could indicate the presence of SOCKS or other proxies, thereby revealing possible exposure to threats.

While residential proxies have uses, such as aiding web scraping, these relatively benign applications are trivial compared to the significant network effects of being compromised by trusted or local networks. Cyber threats like ‘Horse Shell’ are using residential proxies to undermine traditional GeoIP security measures, underscoring the need for the continuous evolution of our defense strategies.

In Part 1 of our series on residential proxies, we provide an overview of this important topic and delve into why it’s a major concern in today’s cybersecurity landscape. From basic uses to their role in complicated cyber-attacks, we’ll explain everything you need to know. Ma


  1. Cohen, I., Madej, R., & Threat Intelligence Team (2023). The Dragon Who Sold His Camaro: Analyzing Custom Router Implant. Check Point Research. Retrieved from https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ 
  2. Goodin, D. (2023, May 17). Malware turns home routers into proxies for Chinese state-sponsored hackers. Ars Technica. Retrieved from https://arstechnica.com/information-technology/2023/05/malware-turns-home-routers-into-proxies-for-chinese-state-sponsored-hackers/