Risk Management
Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR
This blog discusses a web shell intrusion incident where attackers abused the IIS worker to exfiltrate stolen data.
Save to Folio
Summary:
- This analysis is the result of Trend Micro™ Managed XDR investigation and response to a customer incident; our endpoint sensors detected Internet Information Services IIS worker (w3wp.exe) executing suspicious activity that alerted our team to action.
- The attacker was able to upload a web shell to the IIS worker, which, at the time of the attack, was unrestricted.
- The impact on this public-facing server allowed the attacker to create a new account for persistence and to modify the password for one existing user.
- The attacker utilised encoded PowerShell command to create a reverse TCP shell that connected to an IP address for command-and-control.
This incident response by Trend Micro™ Managed XDR was triggered by Trend Vision One™ after our endpoint sensors detected suspicious binary being executed by the IIS Worker process (w3wp.exe) executing a suspicious binary. This behaviour is indicative of potential exploitation of the web server, possibly involving unauthorised activities or a compromised environment. Our investigation revealed that the attackers used a reverse TCP shell to establish command-and-control, as discovered by further filters triggered by the IIS Worker Process Spawning Suspicious PowerShell Command model. After containing the threat, Managed XDR conducted an investigation that uncovered multiple payloads downloaded in the directory C:\Users\Public, which we will discuss in this blog entry.
Initial access
From our investigation of this case, the attacker was able to upload a web shell to the Internet Information Services IIS worker (w3wp.exe). The same web shell was created earlier in another location; however, the attacker did not proceed to interact with it. We determined initial access by analysing the requests the webserver received, where we identified the source host interacting with the web shell.
Prior to the creation of both web shells, we observed POST requests:
POST /****/batchupload.aspx - 443 - 86.48.10[.]109 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/131.0.0.0+Safari/537.36 https://<domain>/****/batchupload.aspx 200 0 0 111
POST /****/email_settings.aspx - 443 - 86.48.10[.]109 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/131.0.0.0+Safari/537.36 https://<domain>/****/email_settings.aspx 200 0 0 93
Discovery
The adversary issued POST requests to the following web shell E:\azure\azureapps\test.****\ebiller\Email_templates\cmd.aspx, which caused the IIS worker process (w3wp.exe) to spawn cmd.exe and powershell.exe, as illustrated in Figure 2.
We also observed the attacker executing discovery commands (system owner, system information, process, file/directory, and account discovery) by utilising the following built-in system tools:
- whoami
- tasklist
- systeminfo
- type
Aside from the web shells, the adversary was also able to create a new account for persistence and to modify the password for one existing user.
To evade detection, the attacker renamed the web shell to masquerade as a legitimate file:
"cmd.exe" /c E: && cd\azure\azureapps\<domain>\ebiller\Email_templates\ && rename cmd.aspx a****.aspx
Command and control
The attacker utilised encoded PowerShell command to create a reverse TCP shell that connected to an IP address for C&C enabling them to execute commands to download additional tools:
| http://54.255.198[.]171/0x02.exe | 0x02.exe | C:\Users\Public\0x02.exe |
| http://54.255.198[.]171/rev.bat | rev.bat | C:\Users\Public\rev.bat |
| http://54.255.198[.]171/AnyDesk.exe | AnyDesk.exe | C:\Users\Public\AnyDesk.exe |
| http://54.255.198[.]171/ngrok.exe | n.exe | C:\Users\Public\n.exe |
The attacker was also able to instal the AnyDesk remote desktop application and configure it to start automatically when Windows starts with the following command:
"C:\users\public\AnyDesk.exe" --instal --start-with-win
Data collection and exfiltration
The contents of the web server’s working directory were archived via 7zip application with the following command:
Command: "cmd.exe" /c E: && cd\azure\azureapps\test. ****&& "C:\Programme Files\7-zip\7z.exe" a -r _x89z7a.zip ".\*"
The archive file was then exfiltrated from the host via the hosts own IIS server functionality by way of a GET request:
GET /_x89z7a.zip - 443 - 86.48.10[.]109 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/131.0.0.0+Safari/537.36 – 200
The attacker then deleted the zip file _x89z7a.zip to cover their tracks.
"cmd.exe" /c E: && cd\azure\azureapps\test.****\ && del /f _x89z7a.zip
There are also other files exfiltrated by the attacker using GET requests issued via C&C which include zip files and other files related to payments and transactions.
Technical analysis of collected files
We conducted further analysis of the collected files to better understand the contained threat. The following section contains what we found in our analysis of the different web shells uploaded in the victim host.
cmd.aspx cmd2.aspx default.aspx |
Allows arbitrary command shell code execution based on the input from the client side form "Request.Form["command"]" Exposes the output of the command to the client |
| 0514_Bills_Payment_Intraday_001102019_114424.aspx | Similar to cmd.aspx but uses powershell.exe for the arbitrary code execution instead of cmd.exe |
| 0514_Bills_Payment_Intraday_01012019_054034.aspx | Potentially allows arbitrary file management or manipulation Allows navigation, creation, editing and deletion of directories and files Also has upload function for potential adding of other components |
| cmd.asp | Allows arbitrary cmdline execution when access using the url "?cmd=<command>" and sends the results back to the sender Possible use format: "www.example.com/cmd.asp?cmd=<command>" |
hello.aspx |
Just contains the string "hello" |
up.aspx up.html |
Potentially allows arbitrary file upload, could have been the source of the other malicious scripts found in the server FileUploadControl.SaveAs() method saves the uploaded file directly to the server without sanitising its contents or thoroughly validating its type FileUploadControl.FileName is directly used without sanitisation, this can allow directory traversal or overwriting important server files |
| 0x02.exe | The unpacked samples were observed to be using Filipino and a mix of English and Filipino on its runtime debug log which is unusual (NOTE: local language for runtime debug strings can indicate the use of the language by the attacker or an attempt at false flag attribution) Used for arbitrary Remote Code Executions via RPC and named pipes. Requires previously mentioned VC runtime DLLs and arguments to run properly: -c - will contain the command line to execute via NamedPipes and RPC -d - session ID -i - inherit privilege option -h – help option Used for privilege escalation via various methods like impersonation, and security description manipulation Creates or connects to named pipe along with an RPC function Creates process based on provided command argument from pipe response |
Resolution and recommendations
Web shells are still a common threat faced by web server owners that highlight the need to be vigilant in monitoring and ensuring that servers adhere to best practises in security management and server configurations. The following bullets enumerate how the Managed XDR team responded to the incident discussed in this blog:
Response actions to contain and eradicate the threat
Upon discovery of additional payloads from the threat, we promptly isolated the endpoint to contain the threat and prevent it from further affecting other hosts. These additional payloads were collected by the team and were investigated and relayed to the analysis team for proper detection. Additional server logs were collected remotely to investigate the activity related to the web shells.
Tailored action items and recommendations based on the incident
From the result of investigations and communication with the customer, the source of web shell upload appears to originate from unrestricted upload files in the server. We recommended disabling the pages until proper file validation, restricting of file upload, and appropriate authorisation is setup for the upload functionality.
During the investigation we also observed the host’s lack of proper security agent (Endpoint Protection Platform) installation; installing proper security agents can prevent and mitigate impact, as they will detect web shells upon arrival.
Call with customer and Incident Report sharing
To better understand the incident, impact of the threat, and which action items are needed to be prioritised – an incident call was conducted with the customer. An Incident report containing the results of the incident analysis and recommendations was also created and shared with the customer to serve as a document reference.
To safeguard against similar threats, we recommend the following security measures to help organisations and enterprises effectively defend against web shell attacks:
- Validate and sanitise input. Make sure that all inputs on the web pages are validated and sanitised to prevent injection attacks.
- Implement authentication processes and restrict access. Implement strong authentication methods for any sensitive endpoints and restrict access to authorised users only.
- Patch your systems and applications. Review your server and web application for any known vulnerabilities. Ensure that the latest security patches are applied, especially to web frameworks or server software like IIS.
- Ensure security products are configured according to best practises. Make sure all security tools in place, such as endpoint detection, firewalls, and monitoring systems, are properly configured and updated according to vendor best practises to maintain robust defences against threats.
Trend Vision One threat intelligence
To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and be better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.
Trend Vision One Intelligence Reports App [IOC Sweeping]
- Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR blog IOCs
Trend Vision One Threat Insights App
- Emerging Threats: Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR
Hunting queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Potential webshell command execution:
((processFilePath:w3wp.exe AND objectFilePath:(cmd.exe OR powershell.exe)) OR parentFilePath:w3wp.exe AND processFilePath:(cmd.exe OR powershell.exe)) AND eventSubId: 2 AND NOT objectFilePath:(conhost.exe)
More hunting queries are available for Vision One customers withThreat Insights Entitlement enabled.
Indicators of compromise
Indicators of Comrpomise (IoCs) can be found in this link.