Hackers Exploit IIS Servers with New Web Shell Script for Full Remote Control

Security researchers have examined a complex online shell script called UpdateChecker.aspx that was installed on compromised Internet Information Services (IIS) servers in response to a notable increase in cyberthreats directed at Microsoft Windows installations.

This analysis stems from a follow-up investigation by FortiGuard’s Incident Response Team into a prolonged intrusion at a Middle East critical national infrastructure (CNI) site, where attackers installed multiple web shells to maintain persistent access.

The web shell enables full remote control of affected systems, posing a high-severity risk to Windows users by allowing unauthorized command execution, file manipulation, and data exfiltration.

Unveiling the Obfuscated Threat

Operating under the guise of a legitimate ASPX page, the script leverages heavy obfuscation in its C# code, with randomly generated method, variable, and class names encoded in Unicode, alongside encrypted strings and numeric constants.

This obfuscation thwarts initial reverse-engineering efforts, but deobfuscation reveals the core functionality centered around the Page_Load() entry point, which processes incoming HTTP requests exclusively on the server side.

The web shell demands commands via HTTP POST requests with an application/octet-stream content type; any deviation triggers an error response.

Command payloads are encrypted, Base64-encoded, and structured as JSON objects, beginning with a 16-byte header decrypted using a hardcoded key to yield a 15-byte session key for the remaining data.

Essential JSON keys include ProtocolVersion (fixed at 1.0), ModuleName, and RequestName, with optional parameters dictating specific actions. Failure to include these results in error messages, ensuring robust command validation.

Traffic analysis, simulated through tools like Wireshark, shows encrypted binaries in POST bodies, decrypted to reveal JSON-formatted instructions and responses, facilitating seamless attacker-victim interactions without raising immediate alarms.

Comprehensive System Domination

The web shell’s architecture divides functionalities into three modules: Base, CommandShell, and FileManager, each offering granular control over the compromised host.

The Base module provides reconnaissance via requests like GetBasicServerInfo and GetBasicServerApplicationInfo, harvesting details such as server software, IP address, OS version, machine name, and runtime environment.

CommandShell enables arbitrary Windows command execution under IIS privileges, exemplified by running ‘whoami’ to identify the current user context.

FileManager stands out with extensive file system operations, including directory creation, file copying/moving, deletion, content searching by name or keyword (with options for case sensitivity and regex), and attribute modifications like timestamps or permissions.

For instance, attackers can create directories, inject Base64-encoded content into files, retrieve file data, or perform bulk replacements across specified paths and file types.

Demonstrations using a custom Python script simulate real-world exploitation: querying server info exposes environmental details; executing commands reveals user privileges; and file operations allow creating, modifying, and deleting resources, such as forging a ‘test’ folder and ‘test.txt’ file owned by the DefaultAppPool identity, complete with injected content like “Hi Fortinet!”

These capabilities underscore the web shell’s potency for lateral movement, data theft, or further payload deployment in breached networks.

According to the report, Fortinet’s protections detect the ASPX file under signatures like ASP/WebShell.32BC!tr across products including FortiGate, FortiMail, FortiClient, FortiEDR, and FortiWeb, emphasizing the need for updated antivirus engines and web application firewalls.

Organizations suspecting compromise should engage incident response teams and bolster awareness through security training to mitigate phishing vectors that often precede such intrusions.

This web shell exemplifies advanced persistence mechanisms in state-sponsored or sophisticated cyber operations, highlighting the urgency for Windows administrators to audit IIS servers for anomalous ASPX files and enforce strict request filtering.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!