What happens to malicious infrastructure created by attackers, after they stop maintaining it?
See Also: Live Webinar | 10 Strategies to Tackle Alert Fatigue with Smarter SOC
To paraphrase the old Army ballad, such infrastructure never dies, it just fades away.
Many systems infected by malicious code will keep trying to “phone home” but not receive a response unless someone else takes control of the domain to which they’re reaching out. Many of these server infections are traced to malicious web shells. Such software gets installed on infected servers to give attackers remote access, via HTTP, allowing them to run commands, upload and execute files, exfiltrate data and more.
Enter researchers from attack surface management vendor watchTowr who decided to study how many systems infected by web shells they could find that reached out to “expired and abandoned infrastructure.”
Now add this wrinkle: To trace the infections, they looked for communications tied to hardcoded but obfuscated backdoors in popular web shells, hidden by their developers so they could hijack any infections made with their tool.
“We went on a mission: Collect as many web shells as possible – regardless of language, target or age – de-obfuscate any code that happened to be protected by the power of base64 and extract any unregistered domains likely used in some sort of callback function,” watchTowr researchers said.
They funneled the results of their unregistered domain searches to the AWS Route53 API, enabling them to automatically register more than 40 domains for $20 each. The domains included alturks.com, h4cks.in, hackru.info and w2img.com. Researchers then redirected all traffic to those domains to their own logging server, set to only receive and log all incoming requests, and to not respond to any of them.
“Put simply: We have been hijacking backdoors that were reliant on now-abandoned infrastructure and/or expired domains that themselves existed inside backdoors, and have since been watching the results flood in,” they said. “This hijacking allowed us to track compromised hosts as they ‘reported in,’ and theoretically gave us the power to commandeer and control these compromised hosts.”
While any user with malicious intentions might very well pursue such activities, the researchers said they drew a clear line at either commandeering or compromising the hosts, and instead only amassed incoming data.
They’ve been analyzing their logs, and so far have counted 4,000 breached systems phoning home, including government systems in Bangladesh, China and Nigeria, as well as educational systems in China, South Korea and Thailand.
Numerous requests traced to a variant of a backdoor tied to 2020 attacks attributed to North Korea’s Lazarus Group, which other attackers may have since repurposed, that is designed to load a .gif file from the w2img.com server. “We saw over 3,900 unique compromised domains from this backdoor alone – clearly, this is a prolific tool,” they said.
Rather than let the domain registrations tied to the malicious activity ultimately expire again and be available for someone else to potentially commandeer, researchers said they handed it off to The Shadowserver Foundation, which is a nonprofit security organization that often sinkholes domains connected to malicious domains.
Backdoors in Backdoors
The research is a reminder that malicious web shell options remain numerous and often freely available for aspiring attackers. Most web shells are written in PHP, which remains the most widely used server-side language, boasting a market share of 75% or more.
Long-popular web shell options include c99 shell and r57 shell, researchers say. Other examples include China Chopper, which has been tied to numerous attacks attributed to Beijing-backed government hackers, including the group tracked as APT41.
One quirk of web shells, as capitalized on by the watchTowr researchers, is that their creators often add backdoors allowing them to steal infected sites from their tool’s users.
Long a rumor on hacking forums, research backs up this nefarious strategy as fact. As detailed in a 2016 “No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells” research paper, about 30% of the 1,449 web shells studied by those researchers included a hidden mechanism for phoning home to their creator, so that “the shells, upon execution, surreptitiously communicate to various third parties with the intent of revealing the location of new shell installations.”
Knowing the location of these new shell installations enables the tool’s developer to seize control of the web shells after someone else has gone to the time, effort and expense of finding and infecting them.
Shocker: there’s really no honor among thieves.
Web shells are not the only type of hacking tool that gets regularly backdoored by their creators. The research paper also cites examples that include phishing toolkits designed to share stolen credentials not only with users but the creator of the toolkit, as well as a distributed denial-of-service tool designed to backdoor any system on which it got installed.
