AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 46

China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware 中国关联UAT-7810利用新型LONGLEASH恶意软件扩展ORB网络

UAT-7810, a China-linked APT group, is expanding its Operational Relay Box (ORB) network by compromising internet-facing networking devices. The group has evolved its malware from ShortLeash to LONGLEASH, adding sophisticated proxying capabilities and self-preservation mechanisms. New tools include DOGLEASH, a passive backdoor for Linux, and LEASHTEST, an ELF binary for testing functionality on MIPS-based embedded devices. Attack campaigns exploit known vulnerabilities in Ruckus and ASUS routers 中国关联APT组织UAT-7810正在通过入侵面向互联网的网络设备来扩展其运营中继箱(ORB)网络“LapDogs”。 该组织开发了新型恶意软件LONGLEASH,具备代理功能、中间C2服务器角色及自我擦除能力,以增强隐蔽性和持久性。 攻击链利用Ruckus和ASUS路由器中的已知漏洞(如CVE-2020-22653、CVE-2025-2492),并部署了DOGLEASH、JARLEASH等未公开工具。 UAT-7810为其他次级威胁行为者(如针对台湾关键基础设施的UAT-5918)提供基础设施支持,形成多层级的网络攻击生态。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • UAT-7810, a China-linked APT group, is expanding its Operational Relay Box (ORB) network by compromising internet-facing networking devices.
  • The group has evolved its malware from ShortLeash to LONGLEASH, adding sophisticated proxying capabilities and self-preservation mechanisms.
  • New tools include DOGLEASH, a passive backdoor for Linux, and LEASHTEST, an ELF binary for testing functionality on MIPS-based embedded devices.
  • Attack campaigns exploit known vulnerabilities in Ruckus and ASUS routers, such as CVE-2025-2492, to establish persistent access.
  • The ORB infrastructure is shared with secondary actors like UAT-5918 to target critical infrastructure, particularly in Taiwan.

Why It Matters

This development highlights the increasing sophistication of state-sponsored threat actors in building resilient, multi-layered command-and-control infrastructures through compromised consumer and enterprise networking hardware. For security practitioners, it underscores the critical risk posed by unpatched vulnerabilities in internet-facing routers and embedded devices, which serve as foundational nodes for broader cyber espionage campaigns. Understanding these relay networks is essential for detecting lateral movement and attributing attacks to larger APT groups.

Technical Details

  • LONGLEASH Malware: The successor to ShortLeash, featuring an executor component that proxies traffic via HTTP, DNS, SOCKS, TCP, ICMP, and UDP. It acts as an intermediate C2 server, relaying commands between primary C2 and peers, and includes anti-tampering features to remove itself if compromised.
  • DOGLEASH Backdoor: A passive backdoor deployed on compromised Linux devices, capable of executing arbitrary shellcode. UAT-7810 hosts multiple variations on dedicated servers to target different victims.
  • JARLEASH Administration Tool: A Java-based JAR package used for administrative tasks on compromised servers, providing file management, FTP, SFTP, and Netcat capabilities.
  • LEASHTEST Utility: An ELF binary designed to test specific functionalities, such as thread creation, child processes, and async timers, specifically on MIPS-based embedded devices, indicating ongoing refinement for this architecture.
  • Exploitation Vectors: Attacks leverage known vulnerabilities in unpatched Ruckus wireless routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud Routers (CVE-2025-2492) to gain initial access and expand the ORB network.

Industry Insight

  • Organizations must prioritize the patching of internet-facing networking equipment, especially routers from vendors like Ruckus and ASUS, as these devices are prime targets for establishing persistent backdoors.
  • Security operations should monitor for unusual outbound traffic patterns indicative of proxying or relay activities, as APT groups increasingly use compromised devices as intermediaries to obscure their true command-and-control sources.
  • Threat intelligence sharing regarding specific malware variants like LONGLEASH and DOGLEASH should be disseminated quickly to help defenders identify indicators of compromise across MIPS and Linux-based embedded systems.

TL;DR

  • 中国关联APT组织UAT-7810正在通过入侵面向互联网的网络设备来扩展其运营中继箱(ORB)网络“LapDogs”。
  • 该组织开发了新型恶意软件LONGLEASH,具备代理功能、中间C2服务器角色及自我擦除能力,以增强隐蔽性和持久性。
  • 攻击链利用Ruckus和ASUS路由器中的已知漏洞(如CVE-2020-22653、CVE-2025-2492),并部署了DOGLEASH、JARLEASH等未公开工具。
  • UAT-7810为其他次级威胁行为者(如针对台湾关键基础设施的UAT-5918)提供基础设施支持,形成多层级的网络攻击生态。

为什么值得看

本文揭示了国家级APT组织如何通过构建去中心化的中继网络(ORB)来降低被追踪风险并扩大攻击面,为理解高级持续性威胁的基础设施架构提供了最新案例。对于网络安全从业者而言,了解LONGLEASH等新型恶意软件的技术细节及针对特定硬件平台的测试策略,有助于优化检测规则和防御体系。

技术解析

  • LONGLEASH恶意软件特性:作为ShortLeash的继任者,LONGLEASH不仅包含执行器组件,支持通过HTTP、DNS、SOCKS、TCP、ICMP和UDP协议进行代理连接,还能充当中间C2服务器转发命令。它具备客户端授权管理及检测到篡改时自动清除植入物和痕迹的能力。
  • 辅助工具集:除了主恶意软件,UAT-7810还使用了被动后门DOGLEASH(可在Linux设备上执行任意shellcode)、用于MIPS嵌入式设备功能测试的ELF二进制文件LEASHTEST,以及用于文件管理和FTP/SFTP控制的Java后门JARLEASH。
  • 攻击向量与漏洞利用:攻击者主要利用未修补的路由器漏洞,包括Ruckus无线路由器的CVE-2020-22653、CVE-2020-22658、CVE-2023-25717,以及华硕AiCloud路由器的CVE-2025-2492,旨在建立持久的网络接入点。
  • 基础设施部署:研究人员发现UAT-7810使用至少四个新服务器托管DOGLEASH的各种变体,并在其中一台服务器上部署JARLEASH进行管理,显示出其基础设施管理的复杂化和多样化。

行业启示

  • 重视边缘设备安全:鉴于攻击者频繁利用消费级和企业级路由器作为跳板,组织应严格审查互联网暴露面的网络设备固件更新,并实施严格的访问控制策略,防止未授权的设备被纳入僵尸网络。
  • 监测异常C2通信模式:LONGLEASH的多协议代理和中间节点特性使得传统基于域名的C2检测可能失效,安全团队需加强对异常网络流量模式(如非标准端口的DNS隧道、ICMP异常数据)的深度包检测和分析。
  • 供应链与生态协同防御:APT组织间的协作关系(如UAT-7810支持UAT-5918)表明威胁是系统性的,企业和监管机构应加强情报共享,关注针对关键基础设施的跨组织攻击趋势,提前布局防御措施。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究