{"id":90543,"date":"2020-02-04T09:30:40","date_gmt":"2020-02-04T17:30:40","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90543"},"modified":"2023-09-11T16:26:43","modified_gmt":"2023-09-11T23:26:43","slug":"ghost-in-the-shell-investigating-web-shell-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/02\/04\/ghost-in-the-shell-investigating-web-shell-attacks\/","title":{"rendered":"Ghost in the shell: Investigating web shell attacks"},"content":{"rendered":"

Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft\u2019s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.<\/p>\n

DART\u2019s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using net.exe,<\/em> scan for additional target systems using nbtstat.exe<\/em>, and eventually move laterally using PsExec.<\/p>\n

The attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an Exchange transport agent<\/a>, which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information. The backdoor also performed additional discovery activities as well as downloaded other malware payloads. In addition, the attackers sent special emails that the DLL backdoor interpreted as commands.<\/p>\n

\"\"<\/p>\n

Figure 1. Sample web shell attack chain<\/em><\/p>\n

The case is one of increasingly more common incidents of web shell attacks affecting multiple organizations in various sectors. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization.<\/p>\n

With the use of web shells in cyberattacks on the rise, Microsoft\u2019s DART, the Microsoft Defender ATP Research Team, and the Microsoft Threat Intelligence Center (MSTIC) have been working together to investigate and closely monitor this threat.<\/p>\n

Web shell attacks in the current threat landscape<\/h2>\n

Multiple threat actors, including ZINC<\/a>, KRYPTON<\/a>, and GALLIUM<\/a>, have been observed utilizing web shells in their campaigns. To implant web shells, adversaries take advantage of security gaps in internet-facing web servers, typically vulnerabilities in web applications, for example CVE-2019-0604<\/a> or CVE-2019-16759<\/a>.<\/p>\n

In our investigations into these types of attacks, we have seen web shells within files that attempt to hide or blend in by using names commonly used for legitimate files in web servers, for example:<\/p>\n