China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors
Cisco Talos has identified UAT-7810, a China-linked APT, expanding its Operational Relay Box (ORB) network with new malware families including LongLeash, DogLeash, and JarLeash. The actor primarily targets Ruckus wireless routers by exploiting known vulnerabilities across MIPS, ARM, and x64 architectures to establish persistent espionage infrastructure. LongLeash serves as an enhanced backdoor framework utilizing Nanopb and MbedTLS libraries, capable of acting as both a C&C client and an interme
Analysis
TL;DR
- Cisco Talos has identified UAT-7810, a China-linked APT, expanding its Operational Relay Box (ORB) network with new malware families including LongLeash, DogLeash, and JarLeash.
- The actor primarily targets Ruckus wireless routers by exploiting known vulnerabilities across MIPS, ARM, and x64 architectures to establish persistent espionage infrastructure.
- LongLeash serves as an enhanced backdoor framework utilizing Nanopb and MbedTLS libraries, capable of acting as both a C&C client and an intermediate server for command forwarding.
- The APT supports another group, UAT-5918, and employs diverse deployment methods, including Java containers for JarLeash and shell scripts with iptables rules for DogLeash.
- The discovery of LeashTest indicates ongoing testing and potential instability of the LongLeash framework specifically on MIPS platforms, suggesting active refinement of their toolkit.
Why It Matters
This development highlights the increasing sophistication of state-sponsored actors in repurposing consumer-grade IoT devices into robust espionage infrastructure, bypassing traditional enterprise security perimeters. For security practitioners, it underscores the critical need to patch legacy vulnerabilities in networking equipment, particularly those affecting widely deployed routers like Ruckus. Furthermore, the inter-group collaboration between UAT-7810 and UAT-5918 suggests a coordinated ecosystem of threat actors sharing resources, necessitating broader threat intelligence sharing and monitoring for cross-APT indicators.
Technical Details
- Malware Families: The update introduces LongLeash (an enhanced C&C/backdoor using Nanopb/MbedTLS), DogLeash (a C-based passive backdoor managed via shell scripts and iptables), and JarLeash (a Java-based backdoor deployed via container spawning scripts).
- Target Infrastructure: The campaign focuses on infecting SOHO routers, specifically targeting Ruckus devices with exploits for CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717.
- Capabilities: LongLeash functions as an intermediate server, forwarding commands and data between peers. It supports web server hosting, tunnel management, and acts as both a client and server. JarLeash includes features for web-based file management, FTP/SFTP servers, and netcat servers.
- Testing Artifacts: The presence of LeashTest, a non-malicious binary used to test functionality on MIPS platforms, serves as an Indicator of Compromise (IoC) and reveals the actor's focus on ensuring stability across different hardware architectures.
- Infrastructure Sharing: UAT-7810 provides hosting infrastructure for UAT-5918, with overlapping tooling but distinct tracking classifications, indicating a shared operational backbone.
Industry Insight
- IoT Security Hygiene: Organizations must prioritize the immediate patching of known vulnerabilities in network infrastructure, especially in edge environments where consumer or SOHO devices are often overlooked in enterprise security protocols.
- Threat Hunting: Security teams should monitor for specific IoCs related to the Leash family, such as unusual iptables rule modifications, unexpected Java container spawns, or connections to known malicious VPS IPs associated with UAT-7810.
- Collaborative Defense: Given the resource-sharing nature between UAT-7810 and UAT-5918, threat intelligence platforms should correlate activities across these groups to predict potential shifts in targeting or infrastructure usage, enhancing proactive defense strategies.
Disclaimer: The above content is generated by AI and is for reference only.