Agrius in Focus: Dissecting a Web Shell

Agrius in Focus: Dissecting a Web Shell

As included in the MITRE ATT&CK framework [T1505.003], web shells serve as backdoors for web servers, providing ongoing and persistent access. Web shells are typically installed after an attacker exploits a vulnerability such as a file upload on a poorly configured web application. The code may vary from simple one-liners to much more complex web shells that encompass a variety of commonly used functionalities, such as remote command execution, file system manipulation, interaction with databases, and privilege escalation. ASPXSpy, China Chopper, and the historically renowned c99 and r57 are among the most well-known web shells.

Several web shells were mentioned in recent threat intelligence publications related to an Iran-linked threat actor known as the Agonizing Serpents / Agrius. The Nozomi Networks Labs team analyzed the intelligence to explore and research the functionality that one of these web shells offers, including command execution, file manipulation, and database interaction. In this blog we present our methodology and research utilizing the available web shell sample with a SHA-256 hash: abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d.

Obfuscation

The web shell, presented as a single line of C# within a .aspx file, exhibits obfuscation techniques in its source code.

Figure 1. Obfuscated variable and function names.

These methods aim to hide its internal operations by substituting certain variable and function names with characters from different languages (such as Korean, Greek, etc.) to obscure their meaning.

Figure 2. Simple string obfuscation.

Additionally, some functions employ a simple obfuscation method to obscure the strings they use. Instead of directly using the string, these functions call another function that retrieves a string from a particular position in a table. Assets like CSS and image icons are encoded in base64.

Figure 3. Table used to retrieve strings based on their position.

Figure 4 below shows the result of the de-obfuscation effort which results in much more readable code. As we can see, attackers went the extra mile to complicate analysis and in this way slow down researchers.

Figure 4. Obfuscate and de-obfuscated email functions side by side.

Authentication

If someone tries to access the web shell page without proper authentication, it will display an HTTP ERROR 404 page after waiting for 10 seconds to emulate a page loading. This functionality helps prevent unauthorized users from easily finding the web shell, making it less conspicuous and reducing the chance of the page drawing unwanted attention.

To access the shell, there are two steps:

  1. If a u query value is part of the URL (GET request), the web shell takes this parameter's value, computes its SHA256 hash, and compares it to a predefined value (a9cf6f3aaae163d7bf0cab956257eeb5ec8ab411007b552264fdebfb65c59bb6). If they match, the web shell sets an auth cookie, no longer showing the 404 error message.
  2. There is a second check: the web shell takes a password value from a hidden form, computes its SHA256 hash, and compares this hash against another predefined value (afb3410722da93d4fd63372e147456fd0630e09a241cb78be48a05295c853ab2). If the hashes match, the web shell sets a passwd cookie with the value of this hash, granting access to the web shell functionality.

So, essentially, to gain access to the web shell:

  • You need to have the correct u parameter in the URL or a matching auth cookie.
  • You also need the correct password value submitted or a matching passwd cookie to successfully utilize the web shell.
Figure 5. De-obfuscated authentication check.

Web Shell Features

The main power of web shells is their flexibility. The web shell that we looked at offers an array of useful features like most full-fledged shells do, making them convenient for their operators.

File Manager

The web shell provides an extensive array of functionalities, granting users the ability to browse through the target system's filesystem. Moreover, it facilitates a range of operations on files and directories, allowing threat actors to execute tasks like downloading, renaming, deleting, copying, compressing, or altering their attributes seamlessly granting them great control over the compromised system.

Figure 6. File manager.

Command Line

The Command Line tool enables users to run custom commands on the target system and access their corresponding outputs. Additionally, it includes pre-defined handy commands like net user, whoami, and more, which can be executed with a simple mouse click to learn more about the system, its files and processes. Users can also adjust the timeout duration for each command.

Figure 7. Command line.

SQL Manager

The SQL Manager offers an interface to connect to SQL databases using a user-provided connection string and then perform operations such as inserting, deleting, updating, or exporting data. This functionality can be used for multiple purposes including stealing and forging the existing data.

Figure 8. SQL Manager.

File/Folder Creation and Upload

Several convenient functions are also provided to create and upload files and folders. An attacker can easily upload a local file to the target system using the user interface or alternatively create one from scratch by providing its text content through a text box. This functionality can be used to quickly create shell scripts or even leave notes to the victim.

Figure 9. File upload to server.
Figure 10. Editing a newly created file.

Port Scan

This functionality enables users to input a comma-separated list of ports along with an IP address to conduct a port scan, determining the status (open or closed) of each port. The default port list includes scans for services such as telnet, SMTP, HTTP, POP3, various databases, and remote administration software. The port scan function uses the TcpClient class. This information is invaluable for attackers at the post-exploitation phase to collect more information about the system.

Figure 11. Port Scan.
Figure 12. De-obfuscated port scanning function.

Port Bind

This functionality binds a shell at the specified port, which can then be used to connect and execute commands on the compromised system. It's important to note that the success of port binding relies on the absence of robust network filtering or security measures that could prevent or restrict incoming connections on specific ports. If the network has stringent filtering rules or firewalls in place, it becomes more challenging for attackers to use this method effectively.

Figure 13. Binding shell to a local port.
Figure 14. Executing commands using the bind shell.

Connect Back

This command provides connect-back or reverse shell functionality. Specifically, it uses TcpClient to connect to the given address and port, sets up a hidden console window, reads lines from the server and runs them on the local console, redirecting the output back to the server. Reverse shells can be useful in situations where firewalls or other security measures prevent hosts from accepting inbound connections.

Figure 15. De-obfuscated connect back function.

Mass Test

Mass Test offers a method to iterate through a directory, inspecting and verifying permissions for each subfolder within to speed up the exploration of the compromised system.

Figure 16. Mass permission test.

Mass Deface

Mass Deface offers a method to deface a page by either providing a file to replace it with or some input text. Deface is commonly used by the attackers to leave public statements displayed instead of the original website’s content.

Figure 17. Mass deface function.

System and User Info

Provides information about the backdoored system such as domain, IP, OS version, timezone, disk usage, CPU details, password information and others.

Figure 18. System information.

Search

Provides a function to search the filesystem for files and folders based on their name or contents. This way, attackers can quickly find the data of their interest.

Figure 19. Search functionality.

Process

Shows a list of running process IDs and names, along with their thread count and priority, allowing the user to kill certain processes whenever this is possible.

Figure 20. Process list.

Services

The services function shows a list of service ids and names along with their status. The services are retrieved using ServiceController.GetServices and a ManagementObjectSearcher query. This functionality can be used for multiple purposes including identifying the cybersecurity products installed.

Figure 21. Service list.
Figure 22. De-obfuscated function to retrieve service information.

Mail

This function provides a method to send email by connecting to an SMTP server and filling out the From/To/Subject/Body fields. This function uses the MailMessage, SmtpClient and MailAddress classes from System.Net.Mail. This functionality may allow attackers to connect to a local SMTP server not accessible from outside the network.

Figure 23. Mail functionality.

The function looks like this after de-obfuscation:

Figure 24. De-obfuscated function to send emails.

Remote Download

Remote Download provides a method to download something from the internet, storing it on the backdoored machine. The default download links points to fgdump, which is a password dumping utility for Windows. This function uses WebClient class provided by System.Net.

Figure 25. Remote download.
Figure 26. De-obfuscated function to download remote files.

Self Removal

The shell includes a feature that allows it to remove itself. Once the user confirms the desire to remove the shell, the program determines its own location and initiates a process to delete itself by calling the File.Delete function on its own file.

Conclusion

Exploring this web shell sheds light on the capabilities that modern-day attackers continue to use when compromising systems. As the threat landscape continues to evolve, staying vigilant, prioritizing security best practices, and fostering a proactive security culture are indispensable in mitigating the risks posed by web shells and other sophisticated cyber threats.

Detections

IoCs

  • abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d

YARA

rule unknown_webshell : webshell aspx

{

  meta:

      name = "Unknown ASPX - Webshell"

      description = "Obfuscated fully-fledged ASPX webshell"

      author = "Nozomi Networks Labs"

      date = "2023-11-27"

      hash = "abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d"

      tlp = "clear"

  strings:

      $base_0 = "<%@ Import Namespace=\""

      $base_1 = "script>"

      $base_2 = "<html>"

      $s_1 = "server=localhost;UID=sa;PWD=1234;database=master;"

      $s_2 = "21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500"

      $s_3 = "The result of command execution"

      $s_4 = "DllImport(\"kernel32.dll\")"

      $s_5 = "DllImport(\"user32.dll\")"

      $s_6 = "SQL exported successfully!"

      $s_7 = "Port Scan"

      $s_8 = "Port Bind"

      $s_9 = "Mass Deface"

      $s_10 = "System and User Info"

      $s_11 = "Program faced to Error!"

      $s_12 = "There is no file or folder!"

      $s_13 = "selectDeface"

      $s_14 = "secondLogin"

      $s_15 = "SELECT PROCESSID FROM WIN32_SERVICE WHERE"

      $s_16 = "Connected to server successfully!"

      $s_17 = "Remote Download"

      $s_18 = "SW_HIDE"

      $s_19 = "SW_SHOW"

      $s_20 = "GetConsoleWindow"

      $s_21 = "System.Net.Mail.SmtpDeliveryMethod.Network"

      $s_22 = "killMe"

      $s_23 = "for use single quote among qurey use"

      $s_24 = "Process killed successfully!"

      $s_25 = "Request.Cookies[\"auth\"]"

      $s_26 = "System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"

      $s_27 = "The server defaced successfully!"

      $s_28 = "SqlCommand"

      $s_29 = "Directory is already exists!"

  condition:

      all of ($base_*) and 6 of ($s_*)

}

SNORT

# Nozomi Networks Labs

alert http any any -> any $HTTP_PORTS (msg:"Detected HTTP headers associated with an ASPX web shell."; flow:to_server,established; content:"POST"; http_method; content:"Cookie: "; http_header; content:"auth="; http_header; content:"passwd="; http_header; content:"limitLengthList="; http_header; content:"limitLengthSql="; http_header; content:"startLimitNumberList"; http_header; content:"directory="; http_header;  sid:9000447; metadata: created_at 2023_11_27, tlp clear;)