The researchers exploited a novel attack vector by hijacking abandoned backdoors within other backdoors, which relied on expired or abandoned infrastructure, such as expired domains.
By acquiring these domains, the researchers gained access to thousands of compromised systems, including those belonging to governments (Bangladesh, China, Nigeria), universities (Thailand, China, South Korea), and other entities.
This “mass-hacking-on-autopilot” approach demonstrated the significant security risks posed by the continued reliance on outdated infrastructure and the potential for attackers to leverage abandoned systems for their own malicious activities.
Attackers can carry out post-exploitation activities through the use of web shells, which are code snippets that are deployed on web servers after an exploit has been successfully exploited.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
There are various web shells, including simple ones that can execute commands and more complex ones that have functionalities like file management, code execution, self-removal, backdoor deployment, FTP brute force, and SQL clients.
R57shell, a popular web shell, leaks the location of the newly deployed shell to its creators via the HTTP referrer header, which attackers can exploit to steal control of the shell from the hacker who deployed it.
A common backdoor allows the original author to gain access to any host running the web shell, as they provide an example of a c99shell backdoor where the login and password are hardcoded in the code.
For the purpose of performing authentication checks, the c99shell backdoor makes use of PHP_AUTH_USER and PHP_AUTH_PW.
Attackers have the ability to take advantage of the @extract function, which is intended to overwrite variables that are associated with the current scope, in order to overwrite the credential variables that are hardcoded.
The researchers collected web shells from the internet, analyzed the incoming requests, and identified a backdoor used by APT37 that sends a beacon request disguised as a GIF image fetch request.
According to watchtowers Labs, over 3900 unique compromised domains are using this backdoor, and it was found requests from government domains, including fhc.gov.ng, a Nigerian government website.
The attacker used a web shell with a password for login, which transmits the password in clear text to a logging server and modified the code to point to different URLs but still sent data to the logging server.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!