A China-associated advanced persistent threat (APT) group has bolstered its cyber espionage arsenal with new backdoor programs, according to Cisco’s Talos researchers. This group, identified as UAT-7810, has been constructing an operational relay box (ORB) network to facilitate its spying activities.
Enhanced Espionage Campaigns
UAT-7810 has been involved in a long-term espionage operation called LapDogs, involving the infection of over 1,000 small office and home office (SOHO) routers with the ShortLeash backdoor, as reported by SecurityScorecard last year. Recent findings reveal the emergence of an updated variant named LongLeash, alongside additional malware families termed DogLeash and JarLeash.
The primary targets of UAT-7810 are vulnerabilities in Ruckus wireless routers, specifically CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. The group exploits these vulnerabilities using payloads compatible with various architectures, such as MIPS, ARM, and x64.
Technical Advancements and Infrastructure
Talos researchers identified three IP addresses linked to virtual private server (VPS) instances utilized by UAT-7810 for downloading payloads. Additionally, four new servers were detected hosting harmful payloads like DogLeash and associated shell scripts. These servers are part of a broader campaign known as Operation WrtHug, which targets Asus AiCloud Routers.
UAT-7810 also shares infrastructure with another China-linked APT, UAT-5918. Although these groups have overlapping tools, they are tracked as separate entities. The newly discovered LongLeash backdoor extends the functionalities observed in ShortLeash, incorporating features such as command-and-control (C&C) communication, web server hosting, tunnel management, and more.
Further Details on Backdoor Capabilities
LongLeash is built on the same codebase as its predecessor but includes code from the Nanopb and MbedTLS open-source libraries. This backdoor can serve as an intermediate server, relaying commands and data between the C&C and other nodes. DogLeash, a C-based passive backdoor, and JarLeash, a Java-based backdoor, add to the group’s capabilities.
DogLeash is deployed via a script that configures iptables rules, allowing TCP traffic to specific ports, and can execute a range of commands based on inputs from the C&C. JarLeash offers straightforward access to compromised systems and can host a file management interface and run FTP and SFTP servers.
Future Implications and Monitoring
In addition to deploying backdoors, UAT-7810 has developed LeashTest, a tool to assess functionality on the MIPS platform. Although this binary is not inherently malicious, its presence can indicate potential compromise.
The continued development and testing of tools like LeashTest suggest that UAT-7810 is striving to optimize its techniques across various platforms. This ongoing evolution of its toolkit underscores the need for vigilant monitoring and robust security measures to counteract such sophisticated cyber threats.
