WEBSHELL


 PLATFORM:

Windows

 OVERALL RISK RATING:
 REPORTED INFECTION:

  • Threat Type: Others

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

A web shell is a piece of malicious code that attackers implant on web servers to provide remote access and code execution to server functions. These malicious codes are often written in typical web development programming languages such as ASP, PHP and JSP,

Attackers often implant web shells by exploiting security gaps such as vulnerabilities web applications. They use reconnaissance tools to identify vulnerabilities that will allow them to install web shell. When a server is exploited successfully, the attacker can use another web shell to accomplish other tasks such as escalate privileges and issue commands remotely.

Web shells provide the following capabilities after successful installation:

  • Allow attackers to execute commands and steal data from a web server

  • Execute commands and steal data from a web server

  • Use server as launch pad for further attacks against the affected organization

  • Issue commands to hosts inside network without direct Internet access

  • Upload additional malware for watering hole attacks and scanning of other vulnerable systems

In 2021, web shells were used in attacks using vulnerabilities found in on premise versions of Microsoft Exchange Server.

Malicious web shells are capable of the following:

  • Information Theft

  • Backdoor commands

  • Exploits

A typical infection using a malicious web shell is below: