The Australian Cyber Security Centre (ACSC) has made a new scanning tool programmed to search malicious web shells in designated networks available to Australian government organizations and its partners.

These offerings became available shortly after Prime Minister Scott Morrison made a statement suggesting there was “a sophisticated state actor” behind the recent cyber-attacks on the computer networks of Australian Parliament House and some political parties.  

The Australian cyber security agency revealed in its press release that it has encountered known malicious web shells in its ongoing investigation. A Web Shell is a script that has capabilities to facilitate remote administration of a computer system, effectively done by uploading a malicious web shell script to the targeted web server.   

It was reported earlier this month that the Department of Parliamentary Services (DPS) had its network sanitized and had enforced mandatory password reset of all users in its networks. The fact that the ACSC has made this tool available, also explains the possible reasons why a mandatory password reset policy has since been enforced at the Australian Parliament House. However, the Prime Minister did comment on the possible failure of the attack saying, “Let me be clear though – there is no evidence of any electoral interference.  We have put in place a number of measures to ensure the integrity of our electoral system”. 

Known Facts About Web Shells Used by Malicious Adversaries 

As per the previous ACSC reports, Web Shell is used to extract confidential data and credentials from targeted networks.  It can also be used as an exploitation vector that infects servers that may not be internet facing but are hosted internally.  

Some of the popular scripting languages used to develop Web Shells are PHP, JS, and ASP.  Aside from providing the ability to the malicious actor to edit, delete, download and upload the file of choice, it also gives the leverage to gain root access to the server.  

Web Shells can be customised to be a vector carrying other malware that can be used to further exploit a specific group of end users by infecting websites that are frequently used by them. Such attacks are called 'watering hole' with the ultimate goal of carrying out such attacks is to gain access to the targeted network, and finally the user’s computer.  

These web shells can also are often also used as a C&C infrastructure in the form of a bot in a botnet. Such strategies are usually used when the malicious actor has the intention of maintaining long term presence in the network.  

It’s important to note that it would require a well-organized, highly skilled team to monitor the networks infected with web shell. Such an operation can only be executed and handled by an APT having political or business motives which could be one of the reasons gaining unauthorised access to the Australian parliament was of interest. 

Some known examples of Web Shells are C99, WSO, China Chopper, and B374K. Some of these web shells such as China Choppers have been attributed to Chinese hacker groups and other malicious actors such as APTs who are well known for breaching networks and staying undetected for an extended period of time.

Red Piranha is one of the few security organisations with ISO 27001 and CREST Certifications to demonstrate that our processes, tools, and systems adhere to a recognised framework. Get a Vulnerability Assessment and Penetration Testing done for your organisation today.

Malware Samples Posted by ACSC on Virus Total 

Malware Sample 1

Malware Sample 2 

Malware Sample 3

Malware Sample 4

Malware Sample 5

Malware Sample 6

Malware Sample 7

Malware Sample 8

Date Published
March 05, 2019