Threat Research

In-Depth Analysis of an Obfuscated Web Shell Script

Fortinet
In-Depth Analysis of an Obfuscated Web Shell Script

A deeply obfuscated ASPX web shell named UpdateChecker.aspx was analyzed, revealing its use on compromised Microsoft IIS servers to enable full remote control over affected Windows systems. The web shell uses encrypted JSON-formatted commands sent via HTTP POST requests to execute a wide range of operations including file manipulation and command execution. #UpdateChecker.aspx #MicrosoftIIS #WebShell

Keypoints

  • The web shell UpdateChecker.aspx runs on Microsoft IIS and contains heavily obfuscated C# code to evade detection.
  • Commands are sent by attackers via encrypted and Base64-encoded JSON data in HTTP POST requests with content type application/octet-stream.
  • The web shell supports three main modules: Base (system info retrieval), CommandShell (command execution), and FileManager (comprehensive file and directory management).
  • Attackers can execute Windows commands with IIS privileges and perform detailed file operations such as create, move, copy, delete, search, and content modification.
  • A Python script was developed to simulate attacker interactions with the web shell, demonstrating its extensive control capabilities.
  • Fortinet detects this web shell with AV signature ASP/WebShell.32BC!tr and provides protection across multiple security products including FortiGate and FortiWeb.
  • The SHA-256 hash of the UpdateChecker.aspx sample is A841C8179AC48BDC2EBF1E646D4F552D9CD02FC79207FDC2FC783889049F32BC.

MITRE Techniques

  • [T1210] Exploitation of Remote Services – The web shell is deployed on Microsoft IIS servers to gain remote control (“commands must be sent in the body of an HTTP POST request”)
  • [T1059] Command and Scripting Interpreter – Attackers execute Windows commands through the CommandShell module using ExecuteCommand requests (“The attacker can execute Windows commands with IIS privilege”)
  • [T1105] Ingress Tool Transfer – The web shell enables uploading files and content manipulation remotely (“FileManager module supports CreateFile and SetFileContent operations”)
  • [T1083] File and Directory Discovery – The FileManager module allows detailed file system enumeration and attribute retrieval (“GetDirectoryInformation and GetFileInformation requests”)

Indicators of Compromise

  • [File Hash] UpdateChecker.aspx sample SHA-256 – A841C8179AC48BDC2EBF1E646D4F552D9CD02FC79207FDC2FC783889049F32BC
  • [File Name] Obfuscated C# web shell – UpdateChecker.aspx

Read more: https://feeds.fortinet.com/~/922174916/0/fortinet/blog/threat-research~InDepth-Analysis-of-an-Obfuscated-Web-Shell-Script

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint