Over 4,000 abandoned but still active web backdoors were hijacked and their communication infrastructure sinkholed after researchers registered expired domains used for commanding them.
Some of the live malware (web shells) was deployed on web servers of high-profile targets, including government and university systems, ready to execute commands from anyone who took control of the communication domains.
Together with The Shadowserver Foundation, researchers at offensive security outfit WatchTowr Labs prevented these domains and the corresponding victims from falling into the hands of malicious actors.
Finding thousands of breached systems
Backdoors are malicious tools or code planted on a compromised system to allow unauthorized remote access and control. Threat actors typically use them for persistent access and to execute on the compromised system commands that would further the attack.
WatchTowr researchers started hunting for domains in various web shells and purchased any that had expired, essentially taking control of the backdoors.
After setting up a logging system, the abandoned but still active malware started sending requests that allowed the researchers to identify at least some of the victims.
From registering more than 40 domains, the researchers received communication from over 4,000 compromised systems attempting to “phone home.”
Source: WatchTowr
The researchers found several backdoor types, including the “classic” r57shell, the more advanced c99shell, which offers file management and brute-forcing capabilities, and the ‘China Chopper’ web shell that is often linked to APT groups.
The report even mentions one backdoor that showcased behavior associated with the Lazarus Group, although it later clarifies that it was likely a reuse of the threat actor’s tool by others.
Among the varied set of breached machines, WatchTowr found multiple systems within China’s government infrastructure, including courts, a compromised Nigerian government judicial system, and systems in Bangladesh’s government network.
In addition, infected systems were found in educational institutions in Thailand, China, and South Korea.
WatchTowr handed over the responsibility of managing the hijacked domains to The Shadowserver Foundation to ensure that they will not become available for takeover in the future. Shadowserver is now sink-holing all traffic sent from breached systems to its domains.
WatchTowr’s research, although not complex, shows that expired domains from malware operations could still serve new cybercriminals, who would also get some victims by simply registering the control domains.
