The FortiGuard Labs team has published a detailed analysis of a heavily obfuscated web shell used to attack critical infrastructure in the Middle East. The research focuses on the UpdateChecker.aspx script running on the Microsoft IIS platform. It is implemented in C# as an ASPX page and hides its actual content behind a layer of encoded and encrypted code. All variable and class method names were randomly generated and then encoded in Unicode. All constants, including strings and numbers, were encrypted or scrambled.
During the analysis, the experts deobfuscated the code and converted random names to human-readable names. The main Page_Load function is launched upon receiving a command from the attacker. The shell is controlled via HTTP POST requests with the content specified as application/octet-stream. Otherwise, the request is rejected and an error page is returned.
The request body is first Base64-encoded and then decrypted in multiple stages. The first 16 bytes contain the encrypted key, which is decoded to produce 15 key bytes and one padding byte. This key is used to decrypt the rest of the command data. The web shell response is also formatted in JSON, then encrypted and re-encoded in Base64.
The script supports three main system management modules. The Base module allows you to get server information, the CommandShell module executes system commands in the specified working directory, and the FileManager module allows you to interact with files and directories, including creating, copying, moving, and deleting directory files, as well as editing metadata and viewing the disk list and the root web directory.
To illustrate this concept, Fortinet has developed a Python script that simulates the actions of an attacker to send commands to the web shell and display the responses. This allowed us to demonstrate the shell’s capabilities, including executing commands, processing files, and receiving various information from the server.
Analyzing UpdateChecker.aspx helped reveal the complex architecture of the web shell and show how attackers control the system stealthily and securely: the script stores the check in JSON format, making it easy to automatically send commands and receive responses.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
