Expired Domains Allowed Control Over 4,000 Backdoors on Compromised Systems

No less than 4,000 unique web backdoors previously deployed by various threat actors have been hijacked by taking control of abandoned and expired infrastructure for as little as $20 per domain.

Cybersecurity company watchTowr Labs said it pulled off the operation by registering over 40 domain names that the backdoors had been designed to use for command-and-control (C2). In partnership with the Shadowserver Foundation, the domains implicated in the research have been sinkholed.

"We have been hijacking backdoors (that were reliant on now abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in," watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond said in a technical write-up last week.

"This hijacking allowed us to track compromised hosts as they 'reported in,' and theoretically gave us the power to commandeer and control these compromised hosts."

Among the compromised targets identified by means of the beaconing activity included government entities from Bangladesh, China, and Nigeria; and academic institutions across China, South Korea, and Thailand, among others.

The backdoors, which are nothing but web shells designed to offer persistent remote access to target networks for follow-on exploitation, vary in scope and functionality -

• Simple web shells that are capable of executing an attacker-provided command by means of a PHP code
• c99shell
• r57shell
• China Chopper, a web shell prominently by China-nexus advanced persistent threat (APT) groups

Both c99shell and r57shell are fully-featured web shells with features to execute arbitrary code or commands, perform file operations, deploy additional payloads, brute-force FTP servers, and remove themselves from compromised hosts.

WatchTowr Labs said it observed instances where some of the web shells were backdoored by the script maintainers to leak the locations where they were deployed, thereby inadvertently handing over the reins to other threat actors as well.

The development comes a couple of months after the company revealed it spent a mere $20 to acquire a legacy WHOIS server domain ("whois.dotmobiregistry[.]net") associated with the .mobi top-level domain (TLD), identifying more than 135,000 unique systems that were still communicating with the server even after it had migrated to "whois.nic[.]mobi."

These comprised various private companies, like VirusTotal, as well as mail servers for countless government, military, and university entities. The .gov addresses belonged to Argentina, Bangladesh, Bhutan, Ethiopia, India, Indonesia, Israel, Pakistan, The Philippines, Ukraine, and the U.S.

"It is somewhat encouraging to see that attackers make the same mistakes as defenders," watchTowr Labs said. "It's easy to slip into the mindset that attackers never slip up, but we saw evidence to the contrary – boxes with open web shells, expired domains, and the use of software that has been backdoored."