Parallelly, the other two modules inject credential harvester code into the authentication system file, and backdoor code into the custom hooks configuration file, respectively.
“Upon establishing a foothold on the REDCap server, UNC6508 performed internal reconnaissance and credential discovery to obtain database and service account credentials,” GTIG researchers said in a blog post. “The threat actor also deployed a web shell named “help.php”, which maintained persistence and functioned as an uploader in the REDCap application.”
The backdoor supports a range of remote commands that allow operators to manage files, execute shell commands, gather system information, and maintain control over compromised REDCap servers, providing UNC6508 with a rich post-compromise toolkit.
