Malicious web shells are a type of software uploaded to a compromised web server to enable remote access by an attacker. While web shells may be benign, their use by cyber adversaries is becoming more frequent due to the increasing use of web-facing services by organisations across the world. The Australian Signals Directorate and counterparts at the US National Security Agency (NSA) have for the first time jointly published new guidance on mitigating the threat of web shell malware.
Throughout 2019, a range of malicious cyber actors continued to target Australia and our international partners, conducting cyber operations that threatened national, economic and security interests in government and the private sector.
The advisory underscores the determination of both Australia and the United States to collaboratively combat malicious cyber activity and is the first product of its kind published jointly between ASD and NSA. The ASD, for its part, has undertaken previous analysis and reporting on web shell use by malicious entities, including development of detection capabilities.
Web shell malware can facilitate cyber attackers' access to a network where they are able to execute arbitrary system commands, enumerate system information, steal data, install additional malicious software or use the infected server to pivot further into the network. Infected web servers can either be internet-facing or internal to the network, such as content management systems.
Due to the increasing use of web shells by adversaries to gain reliable access to compromised systems, the ASD and NSA have jointly produced a Cybersecurity Information Sheet (CIS) to help computer network defenders detect, prevent and mitigate the use of this type of malware. This guidance will be useful for any network defenders responsible for maintaining web servers.
Malicious web shells may be difficult to detect through passive web monitoring because attackers are able to easily modify it or use encryption methods to hide their actions. Attackers can use their access servers as relay points to direct commands to other systems, while appearing as legitimate web traffic.
A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python and Unix shell scripts are also used.
The Detect and Prevent Web Shell Malware (PDF) advisory developed by the ASD and NSA utilises a defence-in-depth approach to discover and disable hidden threats, relying on multiple detection capabilities to flag and mitigate problems.
NSA-ASD Cybersecurity Information: Detect and Prevent Web Shell Malware (PDF)