DEV Community

Mark0
Mark0

Posted on

UAT-7810 continues building ORB networks using new malware

Cisco Talos is actively tracking UAT-7810, a China-nexus Advanced Persistent Threat (APT) actor responsible for maintaining the LapDogs Operational Relay Box (ORB) network and continuously developing its custom malware. Recent findings highlight the evolution of their existing SHORTLEASH backdoor into a more advanced version, LONGLEASH. Additionally, Talos has uncovered new tools in UAT-7810's arsenal, including DOGLEASH, a C-based Linux backdoor, JARLEASH, a Java-based administrative backdoor, and LEASHTEST, a test binary specifically designed for MIPS-based IoT devices.

UAT-7810's operational strategy primarily involves exploiting known, unpatched vulnerabilities (n-day vulnerabilities) in networking devices, such as Ruckus wireless routers and ASUS AiCloud routers, to expand their ORB network. The threat actor leverages a dedicated infrastructure of VPS instances and an IP address located in Hong Kong to host and deploy these malicious payloads, which are adapted for various hardware architectures including MIPS, ARM, and x64. The presence of Simplified Chinese comments in JARLEASH's configuration suggests Chinese-speaking operators.

The malware suite exhibits advanced functionality. LONGLEASH functions as a sophisticated proxying and command-and-control (C2) framework, offering extensive network management and tunneling capabilities. DOGLEASH is designed for remote command execution and arbitrary shellcode deployment on compromised Linux systems. JARLEASH, on the other hand, provides comprehensive administrative features, including a web-based file management interface, FTP/SFTP servers, and Netcat services. The ongoing development, evidenced by the use of LEASHTEST to validate functionality on MIPS platforms, underscores UAT-7810's commitment to enhancing its malicious toolkit and expanding its reach.


Read Full Article

Top comments (0)