Web shell malware

Malicious web shells are a type of software uploaded to a compromised web server that enable remote access to an attacker. While web shells may be benign, their use by cyber adversaries is becoming more frequent due to the increasing use of web-facing services by organisations across the world.

The Australian Signals Directorate and counterparts at the US National Security Agency (NSA) have for the first time jointly published new guidance on mitigating the threat of web shell malware.

Throughout 2019, a range of malicious cyber actors continued to target Australia and our international partners, conducting cyber operations that threatened national, economic and security interests in government and the private sector.

The advisory underscores the determination of both Australia and the United States to collaboratively combat malicious cyber activity and is the first product of its kind published jointly between ASD and NSA. ASD, for its part, has undertaken previous analysis and reporting on web shell use by malicious entities, including development of detection capabilities.

Web shell malware can facilitate cyber attackers' access to a network where they are able to execute arbitrary system commands, enumerate system information, steal data, install additional malicious software or use the infected server to pivot further into the network. Infected web servers can either be internet-facing or internal to the network, such as content management systems.

Due to the increasing use of web shells by adversaries to gain reliable access to compromised systems, ASD and NSA have jointly produced a Cybersecurity Information Sheet (CIS) to help computer network defenders detect, prevent and mitigate the use of this type of malware. This guidance will be useful for any network defenders responsible for maintaining web servers.

Malicious web shells may be difficult to detect through passive web monitoring because attackers are able to easily modify it or use encryption methods to hide their actions. Attackers can use their access servers as relay points to direct commands to other systems, while appearing as legitimate web traffic.

A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python and Unix shell scripts are also used.

The Detect and Prevent Web Shell Malware (PDF) advisory developed by ASD and NSA utilises a defence-in-depth approach to discover and disable hidden threats, relying on multiple detection capabilities to flag and mitigate problems.

 

NSA-ASD Cybersecurity Information: Detect and Prevent Web Shell Malware (PDF)

NSA News: Detect and prevent cyber attackers from exploiting web servers via web shell malware

Content complexity
Advanced
This rating relates to the complexity of the advice and information provided on the page.
Icon for ReportReport a cyber security incident for critical infrastructure Icon for becoming a alertsGet alerts on new threatsAlert Service Become anACSC partner Icon for reportingReport a cybercrime or cyber security incident
Acknowledgement of Country icon
Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.
Authorised by the Australian Government, Canberra