Web Shells Gain Sophistication for Stealth, Persistence

A favorite post-exploitation tool continues to gain sophistication, with one recent example adding disguised log-in pages, credential stealing, and information gathering via services such as VirusTotal.

4 Min Read
An eye with code overlapped on top
Source: Alena Ivochkina via Alamy Stock Photo

Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say.

A Web shell known as WSO-NG was recently seen disguising its login site as a 404 "Page Not Found" splash page, gathering information about potential targets through legitimate services such as VirusTotal, and scanning for metadata related to Amazon Web Services as a pathway to stealing developers' credentials, internet management firm Akamai stated in an analysis posted on Nov. 22. Other Web shells have been deployed by the Cl0p and C3RB3R ransomware gangs, the latter which exploited servers running Atlassian Confluence enterprise server in a mass exploitation campaign earlier this month.

Web shells have become an easy-to-use way of issuing commands to compromised servers as attackers increasingly target cloud resources, says Maxim Zavodchik, threat research director at Akamai.

"Today, the attack surface that Web applications — not just APIs — allows is really large," he says. "So when you're exploiting a Web vulnerability, the easiest next step will be to deploy a Web platform — an implant, something that is not a binary, but talks the same language as the Web server."

Akamai focused on WSO-NG following its use in a massive campaign targeting Magento 2 e-commerce shops, but other groups use different Web shells. The Cl0p ransomware group, for example, dropped the DEWMODE and LEMURLOOT Web shells, respectively, after exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May, according to a June 2023 analysis by networking firm F5.

In 2021, Microsoft noted that the use of Web shells had grown dramatically, with the company seeing nearly double the encounters of Web shells on monitored servers compared to the prior year, the company stated in an analysis. More recent data is not available.

"Web shells allow attackers to run commands on servers to steal data or use the server as [a] launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization," Microsoft stated in its analysis.

Stealthy and Anonymous

One reason attackers have taken to Web shells is because of their ability to stay under the radar. Web shells are hard to detect with static analysis techniques, because the files and code are so easy to modify. Moreover, Web shell traffic — because it is just HTTP or HTTPS — blends right in, making it hard to detect with traffic analysis, says Akamai's Zavodchik.

"They communicate on the same ports, and it's just another page of the website," he says. "It's not like the classic malware that will open the connection back from the server to the attacker. The attacker just browses the website. There's no malicious connection, so no anomalous connections go from the server to the attacker."

In addition, because there are so many off-the-shelf Web shells, attackers can use them without tipping off defenders as to their identity. The WSO-NG Web shell, for instance, is available on GitHub. And Kali Linux is open source; it's a Linux distribution focused on providing easy-to-use tools for red teams and offensive operations, and it provides 14 different Web shells, giving penetration testers the ability to upload and download files, execute command, and creating and querying databases and archives.

"When APT threat actors ... move from specially tailored binary implants to Web shells — either their own Web shells or some generic Web shells — no one could be attributing those factors to the specific groups," Zavodchik says.

Defend With Suspicious Vigilance

The best defenses are monitoring Web traffic for suspicious patterns, anomalous URL parameters, and unknown URLs and IP addresses. Verifying the integrity of the servers is also a key defensive tactic, Malcolm Heath, a senior threat researcher at F5 Networks, wrote in a June post on Web shells.

"Directory content monitoring is also a good approach, and some programs exist which can detect changes to monitored directories immediately and roll back changes automatically," the company stated. "Additionally, some defensive tools allow for the detection of anomalous process creation."

Other methods include focusing on detecting the initial access and the deployment of a Web shell. Web application firewalls (WAFs), with their ability to look at traffic flows, are also solid defensive measures.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights