Cybercriminals Targeting Windows and Linux Server Vulnerabilities to Install Web Shells

A recent wave of cyberattacks targeting South Korean web servers has raised alarms among cybersecurity professionals.

Security analysts have identified that threat actors are leveraging both Windows and Linux server vulnerabilities to deploy web shells, malicious scripts that grant attackers persistent remote access to compromised systems.

Attack Methodology and Tools

The attacks begin with the exploitation of file upload vulnerabilities in web servers. Attackers exploit these weaknesses to place web shells, commonly in ASP and ASPX formats, on Windows IIS servers targeted for attack.

Forensic evidence from recent incidents reveals web shells located in paths such as D:\WEB\**\**\Data\Editor\File\g.asp and D:\WEB\**\**\Data\Editor\File\test9\1.aspx.

Once installed, these web shells serve as the initial foothold, allowing attackers to execute reconnaissance commands and upload additional malicious payloads.

Among the arsenal of tools deployed are well-known web shells such as Chopper, Godzilla, and ReGe-ORG. Attackers use these to maintain persistent access and execute commands.

The use of public tools complicates attribution, but the selection of utilities like Ladon, Fscan, MeshAgent, and SuperShell, all of which are frequently associated with Chinese-speaking threat actors, provides clues to the attackers’ origins.

Reconnaissance is conducted using a series of commands, including ipconfig, whoami, systeminfo, netstat -ano, and network scanning with Fscan.

Privilege escalation is achieved through the abuse of Ladon, a tool often used for scanning, privilege escalation, and credential theft.

The attackers specifically used PowerLadon (a PowerShell version of Ladon) and the SweetPotato command to elevate privileges, necessary because the web server process (w3wp.exe) typically lacks administrative rights.

Cross-Platform Targeting and Malware Deployment

Beyond Windows environments, attackers have also targeted Linux servers. The distribution addresses for malicious code included ELF-based malware, indicating that the campaign is not limited to Windows systems.

Tools such as SuperShell, developed in Go and supporting multiple platforms (Windows, Linux, Android), and MeshAgent, which provides remote management capabilities, are used to maintain control and facilitate lateral movement.

Notably, the malware WogRAT was also identified within the attack infrastructure. WogRAT is a backdoor malware that borrows routines from the open-source Tiny SHell, and it is available in both Windows and Linux versions.

The use of the same command-and-control (C2) server address as in previous WogRAT attacks, which exploited the aNotepad platform, suggests that the same threat actor may be responsible for both campaigns.

To move laterally within victim networks, attackers use stolen credentials obtained via tools like Network Password Dump. Lateral movement is facilitated using WMIExec and Ladon, with commands targeting both Windows and MS-SQL servers.

For example, attackers used PowerShell to execute commands across the network, leveraging stolen admin credentials and NT hashes.

Implications and Indicators of Compromise

The ultimate goal of these attacks remains unclear, but the attackers’ ability to maintain persistent access and move laterally poses a significant risk.

Organizations could face data theft, further malware deployment, or even ransomware attacks if the attackers gain complete control of the network.

Key indicators of compromise (IOCs) include specific MD5 hashes (e.g., 06ebef1f7cc6fb21f8266f8c9f9ae2d9), URLs (e.g., http[:]//45.76.219.39/mc.exe), and IP addresses (e.g., 66.42.113.183).

Security teams are advised to monitor for these IOCs and review their web server configurations to mitigate file upload vulnerabilities.

In conclusion, this campaign highlights the evolving tactics of cybercriminals, who are increasingly targeting both Windows and Linux environments with sophisticated, cross-platform tools.

Vigilance, timely patching, and robust monitoring are crucial to defending against such multifaceted threats.