US CISA report shares details on web shells used by Iranian hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report (MAR) that includes technical details about web shells employed by Iranian hackers.

A web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.

According to the CISA’s report, Iranian hackers from an unnamed APT group are employing several known web shells, in attacks on IT, government, healthcare, financial, and insurance organizations across the United States. The malware used by the threat actors includes the ChunkyTuna, Tiny, and China Chopper web shells.

The Iranian hackers belong to an Iran-based threat actor that was behind attacks exploiting vulnerabilities in Pulse Secure VPN, Citrix Application Delivery Controller (ADC) and Gateway, and F5’s BIG-IP ADC products.

A few weeks ago, researchers from Crowdstrike revealed that the Iran-linked APT group tracked as Pioneer Kitten, also known as Fox Kitten or Parisite, is now trying to monetize its efforts by selling access to some of the networks it has hacked to other hackers.

The Iranian hackers have been attacking corporate VPNs over the past months, they have been hacking VPN servers to plant backdoors in companies around the world targeting Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs.

The CISA MAR includes technical details of 19 malicious files, including multiple components of the China Chopper web shell, such as an ASP application that listens for incoming HTTP connections from a remote operator.

The web shells allow attackers to deliver and execute JavaScript code that could be used to enumerate directories, execute payloads, and exfiltrate data.

CISA experts also analyzed a program data (PDB) file and a binary which are a compiled version of the open-source project FRP. The FRP can allow attackers to tunnel various types of connections to a remote operator outside of the target’s network perimeter. The report also analyzed a PowerShell shell script that is part of the KeeThief open-source project, which allows the adversary to access encrypted password credentials stored by the Microsoft “KeePass” password management software.

“It appears this adversary utilized these malicious tools to maintain persistent remote access and data exfiltration from the victim’s network. The adversary may have used the ‘FRP’ utility to tunnel outbound Remote Desktop Protocol (RDP) sessions, allowing persistent access to the network from outside the firewall perimeter.” continues the report. “The China Chopper web shell also provides the persistent ability to navigate throughout the victim’s network when inside the perimeter. Leveraging the ‘KeeThief’ utility allows access to sensitive user password credentials and potentially the ability to pivot to user accounts outside of the victim’s network,”

The report also details additional 7 files containing malicious Hypertext Preprocessor (PHP) code that works as malicious web shells, which were identified as ChunkyTuna and Tiny web shells. Both web shells accept commands and data from a remote operator, allowing the operator C2 to remotely control the compromised system.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, web shells)

[adrotate banner=”5″]

[adrotate banner=”13″]