Full Report
No less than 4,000 unique web backdoors previously deployed by various threat actors have been hijacked by taking control of abandoned and expired infrastructure for as little as $20 per domain. Cybersecurity company watchTowr Labs said it pulled off the operation by registering over 40 domain names that the backdoors had been designed to use for command-and-control (C2). In partnership with the
Analysis Summary
# Incident Report: Hijacked Infrastructure Leading to Backdoor Control
## Executive Summary
Cybersecurity firm watchTowr Labs discovered that threat actors had leveraged expired domains, previously configured for Command and Control (C2) communication, to maintain control over over 4,000 deployed web backdoors. By registering these abandoned domains for low cost, a security researcher was able to hijack the communication channel, track the compromised hosts, and theoretically gain control over the backdoors. The affected hosts included government entities and academic institutions across Asia and Africa.
## Incident Details
- Discovery Date: January 2025 (Based on publication date)
- Incident Date: Ongoing (Attackers utilized expired domains over time)
- Affected Organization: Multiple compromised hosts including Government entities (Bangladesh, China, Nigeria) and Academic Institutions (China, South Korea, Thailand).
- Sector: Government, Education
- Geography: Global, with identified victims in Asia and Africa.
## Timeline of Events
### Initial Access
- Date/Time: Not specified (Attackers previously deployed backdoors)
- Vector: Exploited C2 infrastructure relying on expired and abandoned domains.
- Details: Threat actors deployed backdoors (like c99shell, r57shell, China Chopper) whose C2 communication was hardcoded to specific domain names. When these domains expired, control was relinquished.
### Lateral Movement
- Details: The backdoors observed, being web shells, inherently allow for remote command execution and potentially further exploitation or deployment of additional payloads within the compromised networks.
### Data Exfiltration/Impact
- Details: The primary impact observed during the security research phase was the ability to track beaconing activity from compromised hosts. The original intent of the backdoors was persistent remote access for follow-on exploitation.
### Detection & Response
- **Detection (Research):** watchTowr Labs registered over 40 implicated domains.
- **Response (Research):** watchTowr Labs, in partnership with the Shadowserver Foundation, sinkholed the identified domains to disrupt the threat actors' C2 capabilities and track beaconing hosts.
## Attack Methodology
- Initial Access: Deployment of web shells (Backdoors) exploiting targets through unspecified initial means.
- Persistence: Achieved via web shells (e.g., c99shell, r57shell, China Chopper) programmed to periodically communicate with hardcoded C2 domains.
- Privilege Escalation: Not explicitly detailed, but web shells often allow for arbitrary code execution, facilitating escalation.
- Defense Evasion: Not explicitly detailed, though reliance on expired domains is a form of evasion by using infrastructure that is no longer actively monitored by the original deployer.
- Credential Access: Not explicitly detailed, but tools like r57shell offer FTP brute-forcing capabilities.
- Discovery: Not explicitly detailed, but web shells generally allow for command execution necessary for host discovery.
- Lateral Movement: Potentially facilitated by web shell capabilities (e.g., file operations, payload deployment).
- Collection: Allowed for by the data gathering features inherent in the web shells.
- Exfiltration: Implied functionality of the web shells, though not specifically observed during the hijacking phase.
- Impact: Maintained persistent remote access for future exploitation of government and academic networks.
## Impact Assessment
- Financial: Unknown, but cost to register domains was minimal (as low as $20 per domain). Significant remediation costs likely for affected organizations.
- Data Breach: Type of data compromised is unknown, but the access would permit theft or damage to sensitive assets within government/academic environments.
- Operational: Disruption to the threat actors' remote access infrastructure. Affected organizations continued to unknowingly beacon to the security researcher's sinkholes.
- Reputational: Potential significant damage to identified organizations (governments and universities) whose networks were compromised by state-backed or criminal actors.
## Indicators of Compromise
*Note: Specific IoCs are omitted/defanged as per instructions, focusing on category.*
- **Network indicators:** Communication attempts to domains subsequently registered and sinkholed by watchTowr Labs.
- **File indicators:** Presence of specific web shells such as c99shell, r57shell, and China Chopper on web servers.
- **Behavioral indicators:** Regular beaconing activity from compromised hosts attempting to reach the now-controlled C2 domains.
## Response Actions
- **Containment measures:** watchTowr Labs took control of the expired C2 domains by registering them.
- **Eradication steps:** Sinkholing the domains disrupted the threat actor's ability to communicate with the backdoors.
- **Recovery actions:** The tracking of beaconing activity allowed defenders (via Shadowserver) to potentially identify and remediate the compromised hosts.
## Lessons Learned
- Hardcoding C2 infrastructure to non-controlled or expiring domains creates a significant, latent risk once those domains expire.
- Domain expiration presents an often-overlooked opportunity for malicious or benevolent actors to hijack existing C2 channels.
- Simple, publicly available web shells remain prevalent tools for long-term persistence across diverse sectors.
## Recommendations
- Implement rigorous infrastructure lifecycle management to ensure critical C2 domains or communication endpoints are never allowed to expire.
- Proactively monitor external infrastructure linkages (domains, IPs) associated with deployed applications to detect when they become available for registration.
- Conduct regular forensic audits on web-accessible services for classic web shells like China Chopper, c99shell, and r57shell.