In a groundbreaking operation, cybersecurity firm watchTowr Labs has taken control of over 4,000 unique web backdoors previously deployed by various threat actors, all by leveraging expired and abandoned domain infrastructure. In some cases, these domains were hijacked for as little as $20, revealing the potential vulnerabilities in the cyber threat landscape.

The operation, which was executed in collaboration with the Shadowserver Foundation, involved the registration of over 40 domain names that had been previously used by the backdoors for command-and-control (C2) purposes. These domains were sinkholed as part of an effort to neutralize the threat, and the results have been eye-opening.

“We have been hijacking backdoors that were reliant on now abandoned infrastructure and/or expired domains, which themselves existed inside backdoors. Since taking control, we’ve been observing the results flood in,” said watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond in a technical write-up released last week.

Hijacking Web Backdoors

The core of this operation revolved around taking control of domains tied to compromised systems. Backdoors, which are essentially web shells designed to provide persistent remote access to networks, are frequently deployed by cybercriminals for follow-up exploitation. These backdoors can vary in sophistication and functionality, but the common denominator is their ability to keep a door open for further malicious activity.

In this case, watchTowr Labs was able to track compromised hosts as they “reported in” via the hijacked domains. The ability to commandeer these systems theoretically allowed the researchers to control compromised hosts, a rare opportunity for cybersecurity professionals to seize control from the threat actors.

“By hijacking these backdoors, we not only tracked compromised hosts, but we also gained the theoretical power to commandeer them, providing us with unprecedented insight into ongoing cyberattacks,” said Harris and Hammond.

Targets and Scope of the Attack

The operation revealed a wide range of compromised targets, which included government entities from Bangladesh, China, and Nigeria, as well as academic institutions across China, South Korea, and Thailand. The beaconing activity, which occurs when compromised systems communicate back to their command-and-control servers, helped identify these targets.

The backdoors themselves varied in their design and capabilities. Some were simple web shells that executed attacker-provided commands using PHP code, while others were far more sophisticated. Notable examples included:

• c99shell: A fully-featured web shell capable of executing arbitrary commands, performing file operations, deploying additional payloads, brute-forcing FTP servers, and removing itself from compromised hosts.
• r57shell: Similar to c99shell, r57shell also boasts features such as arbitrary command execution, file manipulation, and payload deployment.
• China Chopper: A web shell commonly used by China-nexus advanced persistent threat (APT) groups.

WatchTowr Labs observed that some of these backdoors were backdoored themselves by script maintainers, unintentionally revealing the locations where they had been deployed. This oversight handed over control to other threat actors, further complicating the cybersecurity landscape.

The $20 WHOIS Server Domain Hijacking

This operation follows an earlier revelation from watchTowr Labs, where they spent a mere $20 to acquire a legacy WHOIS server domain associated with the .mobi top-level domain (TLD). By doing so, the company identified more than 135,000 unique systems that were still communicating with the server, even after it had been migrated to “whois.nic[.]mobi.”

The systems that continued to communicate with the abandoned WHOIS server spanned a wide array of sectors, including private companies like VirusTotal, and mail servers for government, military, and academic institutions across countries such as Argentina, Bangladesh, India, Israel, Pakistan, and the United States.

“It is somewhat encouraging to see that attackers make the same mistakes as defenders,” said watchTowr Labs. “It’s easy to slip into the mindset that attackers are always perfect, but we saw clear evidence to the contrary—systems with open web shells, expired domains, and the use of software that had been backdoored.”

Implications for Cybersecurity

This discovery highlights the significant risks posed by abandoned and expired domains, which can easily be hijacked and repurposed by malicious actors. It also underscores the importance of proactive cybersecurity measures, such as regularly monitoring domain infrastructure and ensuring that backdoors are closed before they are exploited by unauthorized parties.

For organizations with compromised systems or outdated infrastructure, the operation serves as a stark reminder of the ongoing vulnerabilities that can persist long after a breach. Cybersecurity experts are calling for a greater focus on infrastructure hygiene, regular audits of domain assets, and stronger measures to prevent backdoor access to critical systems.

As the attack surfaces continue to evolve, these findings from watchTowr Labs provide valuable insights into the evolving tactics of cybercriminals and offer a glimpse into the possibilities for defenders to turn the tables on adversaries.