Hackers Attacking IIS Servers With New Web Shell Script to Gain Complete Remotely Control

Cybersecurity researchers have uncovered a sophisticated web shell attack targeting Microsoft Internet Information Services (IIS) servers, allowing threat actors to achieve complete remote control over compromised systems.

The malicious script, identified as “UpdateChecker.aspx,” represents a significant escalation in web shell complexity, employing advanced obfuscation techniques to evade detection while maintaining persistent access to critical infrastructure.

The attack emerged from a broader investigation into cyber intrusions targeting critical national infrastructure in the Middle East, where threat actors successfully deployed multiple web shell servers across compromised systems.

Unlike traditional web shells that rely on simple PHP or ASP scripts, this variant leverages heavily obfuscated C# code embedded within an ASPX webpage file, making analysis considerably more challenging for security teams.

Fortinet researchers Xiaopeng Zhang and John Simmons identified the malware during their follow-up analysis of the Middle East infrastructure breach, noting its sophisticated design and potentially devastating impact on affected organizations.

The web shell’s ability to operate seamlessly within Windows IIS environments while maintaining stealth through advanced obfuscation techniques makes it particularly dangerous for enterprise environments.

The malware operates with high severity implications, granting attackers comprehensive control over compromised Windows systems.

Its deployment specifically targets IIS servers, which are commonly used in enterprise environments for hosting web applications and services, making it a valuable asset for threat actors seeking to establish long-term persistence within organizational networks.

Technical Architecture and Obfuscation Mechanisms

The UpdateChecker.aspx web shell demonstrates remarkable technical sophistication through its multi-layered obfuscation approach.

The malware’s C# codebase employs Unicode encoding for all readable elements, including method names, variable names, and class names, which are randomly generated to prevent signature-based detection. Additionally, all constant values, strings, and numerical data undergo encryption or encoding processes before compilation.

The web shell’s communication protocol requires HTTP POST requests with specific content-type headers set to “application/octet-stream.”

Command data transmission follows a structured JSON format that includes mandatory keys such as ProtocolVersion, ModuleName, and RequestName, along with optional parameters depending on the requested operation.

The malware implements a dual-encryption scheme where the first 16 bytes contain an encrypted key using hardcoded values, followed by command data encrypted with a derived 15-byte key.

Functionally, the web shell organizes its capabilities into three distinct modules: Base for system reconnaissance, CommandShell for executing Windows commands with IIS privileges, and FileManager for comprehensive file system operations.

This modular architecture enables attackers to perform various malicious activities, from initial system enumeration to advanced file manipulation and command execution, all while maintaining the appearance of legitimate IIS server activity.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now