Chinese hackers expand ORB network with new malware

 

Chinese hackers expand ORB network with new malware

A Chinese hacking group tracked as UAT-7810 is evolving its malware toolkit to expand its Operational Relay Box (ORB) network by targeting internet-facing networking devices, mainly unpatched Ruckus routers, according to Cisco Talos.

The ORB network acts as a relay system for other China-linked hacking groups, including UAT-5918. By routing traffic through compromised devices in different regions, attackers can mask the activity as coming from legitimate local networks.

Researchers discovered several new malware samples used in the campaign, including Longleash, an upgraded version of the Shortleash backdoor, as well as a C-based backdoor called Dogleash, the Jarleash JAVA-based backdoor, and Leashtest, a Linux binary (ELF) that is used for testing rudimentary functionality on MIPS-based embedded devices.

The group mainly gains access by exploiting known security flaws in Ruckus routers and ASUS AiCloud routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717). Longleash provides new capabilities, as well as command-and-control communications, network tunneling, and web server hosting.

Cisco Talos also found that Dogleash allows attackers to run commands, access files, and execute code on infected Linux devices. Jarleash provides web-based file management and server tools, while Leashtest helps attackers check whether MIPS-based IoT devices can support the malware.

According to Cisco Talos, UAT-7810 continues to advance its ORB infrastructure by replacing older malware with Longleash and expanding its toolkit.


Back to the list