Category | Details |
---|---|
Threat Actors | Various threat actors leveraging web backdoors, including China-nexus APT groups (e.g., China Chopper users). |
Campaign Overview | • watchTowr Labs hijacked 4,000+ web backdoors using abandoned or expired domains. • Cost of operation: as low as $20 per domain. • Sinkholing performed in partnership with Shadowserver Foundation. |
Target Regions (or Victims) | • Government entities: Bangladesh, China, Nigeria. • Academic institutions: China, South Korea, Thailand. • Other affected regions: Argentina, India, Indonesia, Israel, Pakistan, Philippines, Ukraine, U.S., etc.. |
Methodology | • Registered 40+ abandoned domains used for C2 communication. • Observed beaconing activity from compromised hosts. • Some web shells backdoored by original maintainers, inadvertently exposing them further. |
Product Targeted | • Systems with web backdoors (e.g., c99shell, r57shell, China Chopper). |
Malware Reference | • Web shells: China Chopper, c99shell, r57shell. |
Tools Used | • Web shells (for persistent remote access and exploitation). |
Vulnerabilities Exploited | • Reliance on abandoned infrastructure and expired domains for C2. • Backdoors in web shells leaking deployment locations. |
TTPs | • Hijacking abandoned infrastructure. • Sinkholing domains. • Monitoring compromised hosts through beaconing activity. • Persistent access via web shells. |
Attribution | • Conducted by watchTowr Labs. • Observed China-nexus APT groups leveraging certain web shells (e.g., China Chopper). |
Recommendations | • Monitor and secure infrastructure to avoid domain expiration. • Regularly check for unauthorized web shells on systems. • Implement strict access controls and real-time monitoring for beaconing activity. |
Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/expired-domains-allowed-control-over.html
The above summary has been generated by an AI language model
Leave a Reply