Threat Actors Exploit Windows and Linux Server Vulnerabilities to Deploy Web Shells
Threat actors have been observed exploiting file upload vulnerabilities to deploy web shells and advanced malware on both Windows and Linux systems.
The campaign, which showcases a blend of publicly available tools and custom malicious payloads, indicates a highly coordinated effort to compromise organizational networks through initial access, persistence, and lateral movement.
Sophisticated Attack Campaign
Security researchers have identified the use of tools like MeshAgent, SuperShell, and the backdoor malware WogRAT, suggesting a potential link to Chinese-speaking attackers based on historical usage patterns of these tools.
.png
"Threat Actors Exploit Windows and Linux Server Vulnerabilities to Deploy Web Shells 2")
The attackers’ strategy involves exploiting vulnerabilities in web servers, particularly Windows IIS environments, to install web shells such as Chopper, Godzilla, and ReGe-ORG in ASP and ASPX formats, enabling persistent remote control over compromised systems.
The attack chain begins with the exploitation of file upload flaws, allowing attackers to plant web shells in specific server paths for command execution and reconnaissance.
Commands like ipconfig, whoami, and netstat -ano are used to gather system information, while tools like Fscan facilitate network scanning to identify additional targets.
Multi-Stage Attack Process
Privilege escalation is achieved using Ladon, a tool popular among Chinese-speaking threat actors, often through its PowerShell variant, PowerLadon, with commands like SweetPotato to gain higher permissions.
For command and control, SuperShell a Go-based reverse shell supporting multiple platforms and MeshAgent, which offers remote desktop capabilities, are deployed alongside proxy tools to maintain access.
Notably, the campaign also targets Linux servers, as evidenced by the presence of ELF-based malware at malicious distribution points.
WogRAT, a backdoor inspired by the open-source Tiny SHell, has been linked to prior attacks exploiting platforms like aNotepad, with identical C&C server addresses pointing to a recurring threat actor.
Credential theft using tools like Network Password Dump and lateral movement via WMIExec and Ladon further amplify the attack’s impact, targeting internal systems and even MS-SQL servers to expand control within the network.
While the ultimate objective remains unclear, potential outcomes include data exfiltration or ransomware deployment, posing a severe risk to affected organizations.
Indicators of Compromise (IOCs)
The following table lists key IOCs associated with this campaign, as provided by security analysis.
| Type | Value |
|---|---|
| MD5 | 06ebef1f7cc6fb21f8266f8c9f9ae2d9 |
| 3f6211234c0889142414f7b579d43c38 | |
| 460953e5f7d1e490207d37f95c4f430a | |
| 4c8ccdc6f1838489ed2ebeb4978220cb | |
| 5c835258fc39104f198bca243e730d57 | |
| URL | http://139.180.142.127/Invoke-WMIExec.ps1 |
| http://45.76.219.39/bb | |
| http://45.76.219.39/mc.exe | |
| http://66.42.113.183/acccc | |
| http://66.42.113.183/kblockd | |
| FQDN | linuxwork.net |
| IP | 108.61.247.121 |
| 66.42.113.183 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
