ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
backdoor

Web Shells and How to Avoid the Backdoor Action We Really Don’t Want

By Evan Stewart

 

For many years, web shells have been used for legitimate administration and remote management of enterprise network assets. However, threat actors slowly started to twist web shells to serve their ploys for illegitimate gains. Now, malicious web shells are becoming a more popular means of attack.

What makes web shells attractive to threat actors? Why is the threat of malicious web shells becoming more common?

For threat actors, web shells come with inherent remote capabilities, while also providing a launch point for further intrusion. Though using web shells for malicious means is nothing new, there are three key reasons why their use is becoming more common.

Reason 1 – Ease of Access

Along with the recent attacks on Microsoft Exchange servers, the notorious China Chopper Trojan is an increasingly popular web shell attack engine. Web shells, like the China Chopper, offer a ready-made platform for nefarious actors to use backdoors and create persistent campaigns.

Through web shells, threat actors can compromise servers with built-in file and database management capabilities and code obfuscation capabilities – all with an easy-to-use graphical interface.

Reason 2 – A Stealthy Advantage Point

Typically, attackers take advantage of lapses in security, allowing for SQL injection, Remote File Inclusion (RFI), or zero-day exploits to establish themselves inside a network.  Once established, a web shell is then installed. In as little as 15 bytes, a web shell can emplace and establish remote administration of that now infected machine.

Web shells exist in a non-executable format such as a media file.  This is especially useful when trying to avoid detection. The media file is analyzed by the system and deemed safe, but when any server-side requests for that media file occur, the web shell is enabled.   By establishing themselves with such a small amount of code in a busy environment like a web server, attackers can remain hidden for a long time.

Reason 3 – A Way to Cover Their Tracks

The attackers will go as far as fixing the vulnerability they leveraged in order to prevent system admins from looking their way and to stop any other bad actors from exploiting that same weakness.  Then, the web shells are used for obfuscating commands to and from their Command and Control Server.

This is done either through the HTTP POST event or even hidden inside the user agent string exchanged with every session.  This hidden means of persistence guarantees the backdoor remains available to the attacker, and that contact to and from the compromised network is protected.

How to Protect Against Malicious Web Shells

There are various defense tactics security professionals can enact in order to protect themselves from the seemingly impossible act of detecting a malicious web shell. One tactic is to maintain visibility on web server event logs and to be aware of all internet facing assets.

A second tactic is to enable anti-virus and to regularly apply security patching. If an attacker has already established themselves, you can still detect them because script-based malware funnels into “natural” checkpoints such as “cmd.exe”, “powershell.exe” and “cscript.exe”. By monitoring for when these execute and then confirming legitimacy you will gain visibility into this potentially harmful activity.

If your assets are public facing, we recommend guaranteeing that proper segmentation has been established, which means confirming DMZ traffic cannot traverse further into a private network and that unnecessary access to services, assets and non-standard ports has been restricted.   Strong credential best practices can go a long way as well. By reducing the use of privileged local or domain admin accounts, attackers have less of a chance at compromising these super users.

Conclusion

Web shells aren’t going anywhere any time soon, and it is likely that these attacks will be even more difficult to remediate as the threat actors innovate.  In a time when quick payouts are tempting, bad actors are going to utilize whatever they can to get in and maintain persistence in your network.  Due diligence is a necessary part of any network setup, and if done correctly and maintained, your network can remain protected from such simple, yet sinister, compromises.

 

References:

https://www.darkreading.com/attacks-breaches/what-you-need-to-know—-or-remember—-about-web-shells/d/d-id/1340544?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

https://www.netsparker.com/blog/web-security/how-web-shells-work/

https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/

https://www.rsa.com/content/dam/en/solution-brief/asoc-threat-solution-series-webshells.pdf

https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html

https://www.acunetix.com/blog/articles/introduction-web-shells-part-1/