Researchers hijack thousands of backdoors thanks to expired domains

Image credit: Shutterstock (Image credit: Shutterstock)

Researchers found thousands of forgotten, but active, web backdoors
They gained access by purchasing expired domains
All of the backdoors are being sinkholed

Experts recently uncovered more than 4,000 web backdoors which their operators seem to have forgotten, but which they managed to seize and sinkhole them, effectively preventing them from being abused by other threat actors in the future.

Two researchers from watchTowr, CEO Benjamin Harris, and researcher Aliz Hammond, said they discovered thousands of expired domains that were used to command the web backdoors.

watchTowr’s researchers set up a logging system, which showed that the malware was still active, despite not being in use. It was sending requests that helped the researchers identify some of the victims. They also identified a few of the backdoors used, including the r57shell, c99shell, and one called “China Chopper”.

China under assault

Some of the backdoors were deployed on web servers belonging to government agencies, universities, and other similar high-profile targets. Victims were located all over the world, including China, Thailand, and South Korea. In fact, a number of Chinese government systems and courts were said to have been compromised, as well as systems in Nigeria and Bangladesh.

The backdoors appear to be a mix of legitimate APT-level tools and other, less sophisticated implementations, leading the researchers to speculate that multiple threat actors, of different skill levels, were involved. The source IPs also pointed to heavy usage by attackers from regions like Hong Kong and China, though these could also be proxies and not definitive evidence of attribution.

The researchers also suggested at least some of the backdoors were originally associated with the dreaded Lazarus Group, but stressed that in this case, they were likely repurposed by other attackers. Lazarus is one of the most dangerous North Korean state-sponsored threat actors, actively engaged in industrial espionage, identity theft, wire fraud, and more.

At press time, the number of discovered web backdoors was 4,000, with the researchers adding that this was not definitive and that the actual number of compromised systems was likely much larger.

Via BleepingComputer

This devious backdoor installer gives hackers full control over courtroom devices
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.