Malware Analysis Space: APT44’s ASPX web shell leverages obfuscation techniques and firewall rule manipulation to evade detection

Summary

From the open and public intelligence, the Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.

This report is for a new finding of an ASPX web shell in 2024.04. It was relatively rare with the Sandworm Team, which means a new tendency, including the other APT groups, to pay more attention to WEB security, from here opening an entry point and making a persistence technology with web shell as a backdoor.

Technical analysis

The sample md5: 7c33812c068c79190554b797dfd46629

The web shell is very simple but powerful, which can execute system command, create a new Windows Firewall rule, upload and download files, write text content to file, list files in table, read files and delete files and directories recursively.

Figure1-the main functions of web shell

The Ugw function is designed to accept a system command to run and print the output of the result.The code “ProcessStartInfo ghjf = new ProcessStartInfo(@"cm" + @"d.exe", @"/" + @"C" + uhgl.Text + "");” use Obfuscation Techniques like String Concatenation and Unnecessary Escaping.

1. String Concatenation: The code uses @"cm" + @"d.exe" instead of directly writing cmd.exe.

2. Unnecessary Escaping: The use of @"/" + @"C" instead of simply "/C" adds another layer of obfuscation.

Figure2-execute command snippet

The IROPn function is designed to use PowerShell command creates a new Windows Firewall rule to allow inbound traffic on port 250 over the TCP protocol.

Figure3-powershell set the rule of windows Firewall

The FTYuvgh function is defined to handle a form submission; it will delete it if it exists; if not, it will move to the path.

Figure4-to enter path to uploading file

The POIj function is designed to accept an input string and print the information of all files in the table.

Figure5-list files in the table

The uiewhfdsvc function is designed to read file, delete file and download file. The function handles three different command events for a GridView, detail as following.

1. CommandName "ODJ" (Reading file contents and updating GridView)

Figure6-commandName is ODJ

2. CommandName "ODD" (Deleting a directory and its contents)

Figure7-commandName is ODD

3. CommandName "ODO" (File download).

Figure8-commandName is ODO

The IUHj method is designed to recursively delete files and directories within a specified path.

Figure9- to recursively delete files and directories

IOCs

md5: 7c33812c068c79190554b797dfd46629

sha256: fbb42cf1326ca34c1f4e9149063418bc2136dbf79c46ed40599c479743c12171

Conclusion

The web shell from the Sandworm team is very simple but powerful, which can execute basic operations on files and directories, like other web shells that can upload and download files and execute system commands, especially since it has the ability to create a new Windows Firewall rule, which can bypass the firewall. So it’s a hidden threat as a backdoor with obfuscation techniques.

End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.