Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious | Datadog Security Labs

MITRE Techniques

• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Orchestrating the attack via zx.sh and executing specialized shell scripts like bt.sh and 4zdh.sh (‘zx.sh is the initial entry point executed once an attacker gains access. It functions as an orchestrator, executing subsequent stages through standard utilities like curl or wget.’).
• [T1505.004 ] Server Software Component: IIS Components (Nginx equiv.) – Persisting by modifying Nginx configuration files to add malicious location blocks that redirect traffic (‘the script saves the original line to a temporary file before adding the malicious configuration…the existing configuration file is ultimately overwritten with the newly appended malicious configuration’).
• [T1027 ] Obfuscated Files or Information – Using alternative Bash /dev/tcp raw TCP functions to download/upload data when standard tools like curl or wget are missing or monitored (‘it includes a Bash function capable of creating a raw TCP connection to send an HTTP request.’).
• [T1083 ] File and Directory Discovery – Scanning common Nginx and Baota paths to locate configuration files for injection (‘targets common Nginx configuration locations, such as /etc/nginx/sites-enabled, /etc/nginx/conf.d, and /etc/nginx/sites-available, in addition to looking for the Baota Management Panel’).
• [T1082 ] System Information Discovery – Extracting server_name and proxy_pass values to identify domains and backend architectures for template selection (‘The script then iterates through the existing configuration file, examining each line to locate the server_name directive…selection is based on the top-level domain (TLD)’).
• [T1557 ] Adversary-in-the-Middle (AiTM) – Intercepting and preserving request headers while proxying traffic to attacker-controlled backends to mediate user-server communications (‘proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://[Attacker_Domain];’).
• [T1041 ] Exfiltration Over C2 Channel – Uploading collected Nginx hijack mappings and reports to a C2 server at 158.94.210[.]227 (‘The temporary file is then exfiltrated to the attacker’s command and control (C2) server, located at 158.94.210[.]227.’).