LapDogs Hackers Compromise 1,000 SOHO Devices Using Custom Backdoor for Stealthy Attacks

Security researchers at SecurityScorecard have uncovered a sprawling cyber-espionage campaign orchestrated by the LapDogs Operational Relay Box (ORB) Network, a sophisticated infrastructure compromising over 1,000 devices worldwide.

Identified as a key tool for China-Nexus threat actors, LapDogs primarily targets Small Office/Home Office (SOHO) routers and IoT devices, particularly Linux-based systems, to facilitate covert operations.

This network, active since at least September 2023, leverages a custom backdoor named ShortLeash to infiltrate devices, establishing a stealthy framework for espionage.

The campaign shows a strategic focus on critical regions, with nearly 90% of infected nodes located in the United States, Japan, South Korea, Taiwan, and Hong Kong, highlighting a calculated approach to regional targeting.

A Technical Dissection of Persistence and Deception

At the heart of LapDogs’ operations is ShortLeash, a bespoke malware with variants for Linux and Windows systems, designed to ensure persistence and anonymity.

Once deployed, ShortLeash installs itself as a system service, often in directories like /etc/systemd/system/ on Ubuntu or /lib/systemd/system/ on CentOS, using root privileges to survive reboots.

The malware encrypts its configuration with a dual-layer encryption scheme, employing unique decryption keys and UCL-like compression to conceal its payload, which includes certificates, private keys, and C2 communication URLs.

Mimicking a legitimate Nginx web server, ShortLeash generates self-signed TLS certificates masquerading as issued by the Los Angeles Police Department (LAPD), a deceptive tactic to blend malicious traffic with benign activity.

SecurityScorecard’s STRIKE team traced these certificates, notably with a consistent JARM fingerprint (3fd3fd16d3fd3fd22c3fd3fd3fd3fdf20014c17cd0943e6d9e2fb9cd59862b), to map over 1,000 active nodes.

The malware’s methodical deployment in 162 distinct intrusion sets, often targeting specific ISPs or geographic locales, underscores a goal-oriented operation distinct from opportunistic botnets.

Strategic Exploitation

LapDogs exploits outdated vulnerabilities like CVE-2015-1548 and CVE-2017-17663 in lightweight web servers such as ACME mini_httpd, prevalent in SOHO devices from vendors like Ruckus Wireless (55% of infections) and Buffalo Technology.

The attackers’ focus on Taiwan’s critical infrastructure, as noted in Cisco Talos’ report on threat actor UAT-5918, combined with Mandarin code snippets in ShortLeash scripts, reinforces suspicions of China-Nexus involvement.

Unlike botnets, LapDogs operates with precision, rarely engaging in noisy attacks like DDoS, instead prioritizing espionage through reconnaissance, data exfiltration, and anonymized browsing via compromised nodes.

According to the Report, SecurityScorecard warns that traditional Indicators of Compromise (IOC) tracking is undermined by the network’s rapid node rotation and scale, urging security teams to adopt network-wide threat modeling.

As LapDogs continues to expand methodically, with certificate issuance batches revealing targeted campaigns (e.g., 123 devices in Japan on November 26, 2024), organizations must prioritize securing embedded devices and collaborate with entities like STRIKE for mitigation.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates