A joint National Security Agency (NSA) and Australian Signal Directorate (ASD) Cybersecurity information sheet provide details in which, Cyber actors deploy web shells by exploiting vulnerabilities or uploading to other compromised systems.
Things you need to know about web shells
According to the PDF, Cyber actors have increased the use of web shell malware for network exploitation and web exploitation. Web shells can execute arbitrary system commands, Which are commonly sent over HTTP or HTTPS protocols.
“Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic,” the CSI reads.
It’s a malicious script used by an attacker to gain remote access to the machine and to escalate and maintain persistent access.
Hackers target vulnerabilities in web applications and web shells can serve as a persistent backdoor or as relay node to route attacker commands to other systems from internet-facing systems to pivot further to internal hosts.
The attacker can use a shell for pivoting inside or outside a network. This process can take days or even months while keeping a low profile and draw little attention possible. After gaining persistent access like gaining root or solid credentials then it’s time to make moves.
So, these are some of the tools offered by NSA, which can help you identify malware by checking logs… These tools can be helpful for penetration testers and sysadmins.
Github: Mitigating Web Shells