Hackers Use Web Shell Script to Take Full Control of IIS Servers Remotely

The sophisticated use of a heavily obfuscated ASPX-based web shell, called “UpdateChecker.aspx,” that allowed threat actors to gain total remote control over Microsoft Windows systems running Internet Information Services (IIS), was recently discovered by the FortiGuard Incident Response Team (FGIR).

This finding forms part of a broader campaign targeting critical national infrastructure (CNI) in the Middle East, outlined in detail in FGIR’s latest report.

Obfuscated ‘UpdateChecker.aspx’ Web Shell

The UpdateChecker.aspx web shell, uncovered on a compromised IIS server, demonstrates a high degree of technical sophistication.

Attackers took steps to conceal the shell’s functionality by embedding highly obfuscated C# code within the ASPX file, rendering traditional code analysis ineffective.

Reports indicate that all method, class, and variable names within the script were randomly generated and encoded using Unicode, while constant values such as strings and numbers were further encrypted or encoded.

This multi-layered obfuscation not only slows down reverse engineering efforts but also helps attackers avoid detection by standard security tools.

Upon further analysis, Fortinet researchers de-obfuscated the shell and identified the primary entry point in the Page_Load() function, which executes whenever malicious commands arrive at the server via HTTP POST requests.

The script meticulously checks that POST requests use the ‘application/octet-stream’ content type and rejects all others, adding an additional layer of operational security.

Communication between attacker and shell is further protected by encrypting the request payload prior to Base64 encoding.

After transmission, the shell decodes and decrypts this payload using a hardcoded key, which then reveals a secondary 15-byte key used for further decrypting the attacker’s commands, all of which are packed as JSON objects.

Leveraged in Middle East CNI Attack

The remote command structure is modular and comprehensive, enabling the attacker to carry out a wide array of tasks. The web shell exposes three core modules: Base, CommandShell, and FileManager.

The Base module can return detailed server and application information, including software versions, hostnames, IP addresses, and active user contexts, providing adversaries with the intelligence required to tailor further exploitation.

According to the report, CommandShell empowers adversaries to execute arbitrary Windows commands under the security context of the IIS worker process, often running with significant privileges.

Meanwhile, the FileManager module supports a vast array of file and directory operations from creating, copying, and deleting files and folders to searching for content, manipulating file attributes and timestamps, and replacing file data.

This breadth of features grants attackers persistent access and total operational control of the affected system. To showcase the web shell’s capabilities, Fortinet analysts engineered a Python-based simulation script that successfully replicated attacker behavior.

Through successive test runs, they were able to remotely exfiltrate server metadata, identify the security context (‘whoami’ command), and systematically create, modify, and remove files and directories on the victim system all with real-time feedback and confirmation, demonstrating the shell’s utility for both espionage and destructive operations.

This incident underscores the ongoing danger posed by obfuscated web shells in enterprise web environments.

Such tools are difficult to manually discover, especially if buried under layers of encryption and code scrambling.

However, Fortinet’s signature-based AVC (Antivirus) technologies, as well as its dedicated FortiWeb application firewall, have been updated to detect and block UpdateChecker.aspx, identified under the signature ASP/WebShell.32BC!tr.

The researchers urge organizations, especially those running exposed Microsoft IIS servers, to ensure their security solutions are fully updated and to maintain vigilance against anomalous POST traffic containing encoded payloads.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!