Article Title:
Cybercriminals Exploit Nezha Monitoring Tool for Stealthy Remote Access
In a concerning development, cybersecurity experts at Ontinue’s Cyber Defense Center have identified that threat actors are repurposing Nezha, an open-source server monitoring tool, to gain unauthorized remote access to systems. This tactic allows attackers to maintain control over compromised machines while evading traditional security measures.
Understanding Nezha’s Legitimate Use
Nezha is a widely recognized tool within the Chinese IT community, boasting nearly 10,000 stars on GitHub. It is designed to assist administrators in monitoring multiple servers, tracking resource usage, and performing remote maintenance tasks. The tool operates through a central dashboard server that coordinates lightweight agents installed on monitored systems. These agents enable functionalities such as system health observation, command execution, file transfers, and interactive terminal sessions.
The Malicious Exploitation of Nezha
The same features that make Nezha valuable for legitimate purposes have attracted malicious actors seeking undetected remote access. During a post-exploitation investigation, Ontinue analysts discovered that attackers had deployed Nezha agents on compromised systems. A deployment bash script revealed critical details about the attacker’s infrastructure, including command and control (C2) server addresses, authentication tokens, and a disabled TLS configuration. Notably, the script contained Chinese-language status messages, suggesting it was authored by a native speaker.
Scale and Impact of the Attack
The attackers managed to compromise hundreds of endpoints using this technique, highlighting the significant scale of the threat. The bash script pointed to a C2 server hosted on Alibaba Cloud services with an IP address geolocated to Japan. The installation of the Nezha agent occurred silently on target systems, with detection only triggering when attackers executed commands through the agent. Ontinue researchers accessed the threat actor’s dashboard in a sandbox environment, uncovering the full extent of the compromised infrastructure.
Technical Details and Evasion Tactics
When deployed, the Nezha agent runs with SYSTEM privileges on Windows and root access on Linux, as it requires elevated permissions to read system metrics and manage processes. This means that when attackers request terminal sessions, the shell operates with full administrative capabilities, eliminating the need for privilege escalation that might alert defenders. Furthermore, the legitimate Nezha binary achieved zero detections across 72 security vendors on VirusTotal, as it contains no malicious code—only misconfigured C2 endpoints. This makes detection evasion trivial for attackers.
Recommendations for Organizations
Organizations are advised to immediately hunt for the presence of Nezha agents within their networks. Implementing behavioral monitoring can help identify suspicious terminal activity and file operations that may indicate a compromise. By staying vigilant and proactive, organizations can mitigate the risks associated with this emerging threat.
