Web Shell Malware, a growing concern for the US and Australia Wake Up Call on a common kind of Attack

This past week the US National Surveillance Agency (NSA) joined up with Australian Signals Directorate (ASD) to issue an information packet on how to detect and mitigate web shell malware. Web shell malware is a type of malicious code that executes arbitrary instructions on a targeted web server. It is becoming such a large growing cybersecurity problem that government agencies like the NSA and ASD released a 17-page guidance on how to approach it.

What is it?     

Web shell malware is a type of malware used for computer network exploitation and a favorite for prolonged web server access. It is particularly scary because it is difficult to spot and therefore, eradicate. The malware is resourceful in that it is disguised as legitimate traffic through using common protocols and ports. It utilizes widely used internet protocols like HTTP and HTTPS to evade detection. Traffic using these channels is often overlooked because these protocols are generally used to format and transmit data between web servers and an ordinary users’ browser.

Web shell malware is typically created by adding or modifying an existing file on a victim’s web application. Once web shell malware is successfully deployed it provides a threat actor with persistent access to a target’s network – making it an ideal weapon of choice for adversaries.

Why should you be concerned?

The nature of web shell malware enables attackers to not only have persistent backdoor access to a web server, but also access to route commands to other systems. Attackers regularly chain together multiple web shells on compromised systems to route traffic from internet-facing systems to the internal network. They can then steal data, launch attacks on site visitors, and pivot freely through an organization’s infrastructure.

A regular misconception is that internet-facing systems are the only target for web shell malware. However, we are seeing that attackers are frequently deploying this malware on non-internet facing web servers like internal content management systems and network device management interfaces. It is also worth noting the success rate is higher with these types of systems because they often lag patch management and subsequently are more susceptible to exploitation. Once a web shell is uploaded it is not terribly difficult to root the server through exploiting unpatched vulnerabilities or insecure configuration.

Back in February, Microsoft said in any given month it was detecting an average of 77,000 web shell related artifacts on an average of 46,000 machines. These numbers expose just how pressing the issue of web shell malware is and how network defenders should not ignore this attack vector.

What can you do?

Any seasoned attacker knows attacking through obfuscation is key to success. Adversaries behind web shell malware are no different and employ encryption and encoding to evade detection. However, through adopting the NSA/ASD guide, network defenders are not hopeless against protecting against web shell malware. The guide primarily focuses on defense-in-depth, which entails using multiple layers of security and detection methods. While this may result in higher false positives, it is a tedious, yet necessary task to uncover web shell malware. The released guide suggests validating a file's origin and authenticity are necessary when a potential web shell is detected to confirm the presence of web shell malware.

We focused on the mitigation and detection portion of the document as this step will enable organizations to limit the damage from web shell malware and keep the business in operation. Below is a high-level explanation of the recommended mitigation strategies.

Mitigating Actions

  • “Known-Good” Comparison
    • Compare a verified benign version of a web application against the production version. It is worth noting that system defenders should not assume a file modification is warranted simply because it occurred during a maintenance period. Once uncovered, discrepancies should then be flagged and manually verified for authenticity.
  • Web Traffic Anomaly Detection
    • Use a Security Information and Event Management system to identify web shell presence in web traffic and web server logs. Prior to having a network visibility attackers are not likely to know which IP schemes or user agents are typical for a web server and thus, web shell requests should appear anomalous. Furthermore, Uniform Resource Identifiers (URIs) accessed by abnormal user agents could be indicative of web shell malware. Additionally, unusually large responses are indicative of possible data exfiltration and recurring access of a web server during non-local work schedules could reveal web shell malware.
  • Signature Based Detection
    • Compare signatures of past web shell malware to detect malware occurrence. Detection via common web shell files, scanning instructions, etc. are not very promising as web shell communication is regularly obfuscated, but will pave a way in detecting network communication from script kiddie like attackers.
  • Unexpected Network Flows
    • Use knowledge of network and create a baseline to identify unexpected network activity. For instance, if an attacker is using an internet facing web server to tunnel traffic into a network – evidence will reveal a perimeter device is accessing an internal node. If network defenders know which nodes on their network are web servers, they can analyze network traffic to observe unexpected flows.
  • Endpoint Detection and Response Capabilities
    • Employ enhanced logging solutions to detect web shell malware system calls or process lineage deviations. For instance, it is rare for most web servers to launch the ‘ip config’ utility, but this is a typical reconnaissance action taken by web shell malware to aid an adversary in orienting themselves on a network.

While we summarized the mitigation actions from the guide, there are also prevention and eradication techniques that can also aid an organization in fending against web shell malware. The NSA has also released scripts to enable defenders in executing detection and mitigation actions.

Interested in confirming your organization's preparedness against this growing threat?

Contact Silent Sector today to hear how we can help test the security of your infrastructure and ultimately give you some peace of mind against the threat of web shell malware and other web application attacks. 

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.