Webshells [0.1]
The ACSC reported in a recent advisory an increase in the use of leveraging open source proof of concept exploits, code and tools. Webshell malware are one of many of the tactics, techniques and procedures (TTPs) associated with this threat actor.
A webshell is a malicious webpage injected by an attacker onto a web server which is used to remotely access and launch further attacks. Many webshell variants exist, but can typically be characterised by the ability to be uploaded to a web server with the intent of remote access to establish, escalate or maintain persistence on a system.
Packs.CyberCX.Windows.WebshellSearch
Detecting webshells may be difficult, as they are easily modifiable and are often obfuscated. An alert for any potential webshell should be validated to identify the file's origin and authenticity.
A file has been identified which contains code associated with the .php extension and characteristics of a basic webshell, capable of running commands passed to it through a remote browser.
Securely access the .php script via a browser with the parameter 'whoami', for example: website.name/script/location?cmd=whoami or website.name/script/location?xxx=whoami
If a SID, username or domain is returned, this may indicate that this is a webshell.
Scripts exist to exploit a vulnerability which exists within the Windows protocol Server Message Block (SMB), called Eternal Blue. SMB is a protocol on Windows systems used to transfer data between computers, particularly for network shares, and is rarely disabled. Old versions of SMB contain vulnerabilities (including EternalBlue), which have since been fixed in more recent updates to Windows.
Please note The detected files do not have malicious capabilities, but require to be ran by another file (such as a webshell) to be exploited. Further investigation is required to determine if this script has been executed.
- Is the file in a standard location where scripts are typically run?
- Is Python installed on the computer? To check, open a new terminal interface and type 'python'. If so, this is an indication that the program could have run.
- When reviewing the contents of the file, compare it to the code hosted at this webpage. If it is similar or the same, then this is likely to be an EternalBlue exploit script.
- Review the update schedule for all Windows computers and servers on the network to determine if any would be vulnerable to EternalBlue exploitation, or would have been at the time this file was created. If this can't be determined from the update schedule, the network should also be scanned to determine if any vulnerable computers are present.
A basic webshell containing encoded malware was found. This webshell is likely intended to run malicious code.
Do not attempt to run this file outside of a secure environment or Virtual Machine. Doing so may run malicious code.
- Review the file contents securely and identify any portions of code which appear to contain random text values. This is likely to be Base64-encoded malware. If these portions are not present, then this may be a false positive.
A webshell masquerading as a Microsoft Exchange Server logon page was identified. This page appears to be legitimate, but contains encoded malware files.
Do not attempt to run this file outside of a secure environment or Virtual Machine. Doing so may run malicious code.
- Review the file contents securely and identify any portions of code which appear to contain random text values. This is likely to be Base64-encoded malware. If these portions are not present, then this may be a false positive.
- Check the file location, if it is in a path where the logon page for a Microsoft Exchange Server is usually kept, it is likely a modified version of the original file.
- Check both the creation date and last modification date for the file. If the modification date is more recent than the creation date, the file may have been modified to add additional malicious content.
- The file may typically be named logon.aspx or something similar when in an active web server directory, to appear more legitimate. If it is named something different, it may be inactive.
A script was identified which is used to gather information about a computer and send it to a remote server, written in the Perl language. This is not a webshell, but can be run by one for reconnaissance.
- Is this file stored within a location which scripts are typically ran?
- Investigate other files within the same directory, particularly files with the '.php' and '.aspx' extensions. These files may be webshells which can run the identified script.
- Observe the script's extension and compare the contents. The contents should consist of Perl script, but the name of the file should have a different extension.
A basic webshell was identified which is capable of running commands passed to it as a parameter.
Securely access the .php script via a browser with the parameter 'whoami', for example: website.name/script/location?cmd=whoami or website.name/script/location?xxx=whoami If a SID, username or domain is returned, this may be indicative that this is a webshell.
A basic webshell was identified which contains encoded malware that has been heavily obfuscated.
Do not attempt to run this file outside of a secure environment or Virtual Machine. Doing so may run malicious code.
- Review the file contents securely and identify any portions of code which appear to contain random text values. This is likely to be Base64-encoded malware. If these portions are not present, then this may be a false positive.
A resource file was identified containing encoded malware. This type of file is intended to be run by a webshell. Resource files which typically have extensions of '.resx' store data used by other programs created through the Microsoft .NET development toolkit. These other programs that use .resx files will typically be stored in files with extensions of '.vb', '.vbs', '.wsf', '.aspx', or '.asax'.
- Check to see if this specific file has previously been associated with a webshell with a type of '.aspx'. Please check for other files of this type in the same folder as this file.
- Open the file in a text editor. It should contain XML-style formatting with a large encoded text segment which appear like random values partway through the file. If it does not contain both of these, this may be a false positive.
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
- https://www.cyber.gov.au/acsc/view-all-content/threats/web-shell-malware
If you've followed the steps above, but still believe your system may have been compromised, please refer to our wiki for more information about how to contact the CyberCX Digital Forensics and Incident Response (DFIR) team.
[v0.1]:
