Source: Ink Drop via Alamy Stock Photo

Asian threat actors have been purchasing access to misconfigured websites belonging to often high-value organizations for chump change.

Forget Cyber Monday at Target: a college student in Bangladesh has been doling out the cyber deal of the century for a year and a half now. Researchers at Cyderes’ Howler Cell recently communicated with an individual who claims to be a college student in Bangladesh, with aspirations to one day be a red team cyber defender, and has been funding his education by selling access to vulnerable websites on Telegram for three or four dollars a pop. For websites belonging to large, even globally recognized universities, law enforcement bodies, military organizations, courts, attorneys general, etc., just $200.

It hints at a bigger picture: that while many of this hacker’s customers are, indubitably, financially motivated, some appear to be after something greater: espionage. As further evidence to the point, a subset of buyers has been using the cheap sites to deploy a sophisticated and long-undetected command-and-control (C2) tool called "Beima."

Websites for Sale on Telegram

"We started with [the] student hacker, and as we dug into it, we saw that there was just a much larger ecosystem," recalls Brian Hussey, senior vice president of Cyderes’ Howler Cell.

Related:Iran Exploits Cyber Domain to Aid Kinetic Strikes

On certain Telegram channels, a whole ecosystem of low- to mid-grade threat actors are doing the exact same thing: some of them making their bones by finding and exploiting low-hanging misconfigured Web servers, and some of them packaging the shells necessary to exploit those sites, too. Caps-lock- and emoji-soaked text bubble posts advertise .edu, .gov, and .com sites for the taking, with payments handled in cryptocurrencies.

Others buy that access and those shells, or use their own exploit tools, and perform the actual cyberattacks. Hussey noticed on these channels how "there were students, there were security researchers, there were people that were otherwise gainfully employed just dropping in and doing one small portion of the overall cybercriminal process."

In this particular case study, our student-hacker of note has been harvesting vulnerable WordPress sites, and sites improperly managed using cPanel. In some cases, for instance, admins leave behind the WordPress installer, which an intruder can use to re-run the installation process and gain control of the site. Hackers can also take advantage of weak and default administrator panel credentials, and exposed environment configuration (.env) files containing sensitive data like credentials, application programming interface (API) keys, etc.

Related:WhatsApp ‘Eternidade’ Trojan Self-Propagates Through Brazil

The Best Deal in Cybercrime

Like a shopkeeper organizing their shelves with new stock, the student hacker collects the many websites he tags into a botnet and, from its panel, manages and distributes them to various buyers. He’s currently selling more than 5,200, belonging to organizations across the globe but primarily concentrated in Asia (72% of the total). The most represented country in the trove is Indonesia, with others from India and other South and Southeast Asian countries, as well as Brazil, Libya, the United States, etc.

Nearly half of his compromised sites come from the education sector, and another quarter from the government sector. These are also the sites that command far higher prices: up to $220, compared to some more ordinary sites he sells for just three or four dollars apiece.

This significant bias almost certainly reflects the preference of his buyers: primarily Chinese, Malaysian, and Indonesian threat actors. It also suggests that these buyers may not simply be financially motivated, as public institutions and universities tend to be relatively more valuable to threat actors engaged in opportunistic espionage.

Related:Data Leak Outs Hacker Students of Iran’s MOIS Training Academy

The Beima Webshell

In 80 cases observed by Cyderes, the student-hacker’s sites were infected with the previously undocumented Beima webshell.

Against the backdrop of a plucky, one-man website selling operation, Beima stands out as peculiarly high-grade. It’s a Chinese-language program capable of doing everything a shell is supposed to — uploading malware, stealing a variety of data, and general command-and-control (C2) — but with a few stealth mechanisms to cover for all of that malicious functionality.

The program only accepts encrypted commands, and decrypts them using a hardcoded RSA key. It communicates with the attacker’s panel using JSON, blending in C2 with ordinary Web application programming interface (API) calls. And if an attacker wants to upload a payload to the victim’s server, Beima adds it to a random directory, and manipulates its timestamp to some point six to 12 months prior. This little deception helps the payloads skip past any program looking for new or recently modified files in any particular location it might expect malware to be.

The shell itself is also relatively innocuous — only malicious in the context of how it’s being used. So beyond its little tricks, Hussey says, "that’s why the traditional security vendors [miss it] — because they’re detecting malware with the help of a virus signature database," and it doesn’t register as obviously malicious. According to Cyderes, Beima is "currently completely undetectable by modern security tools."

About the Author

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."