Web Shell Deployment in IIS Compromise Enables Data Theft

A Trend Micro investigation into a customer incident revealed an attack chain originating from a web shell intrusion on a public-facing Internet Information Services (IIS) server. The attacker leveraged the web shell uploaded to the IIS worker process (w3wp.exe), enabling the execution of commands via cmd.exe and powershell.exe. Trend Micro reports, 'The adversary issued POST requests to the following web shell “E:\azure\azureapps\test.****\ebiller\Email_templates\cmd.aspx”, which caused the IIS worker process (w3wp.exe) to spawn “cmd.exe” and “powershell.exe.” These commands facilitated reconnaissance activities, with native Windows commands to retrieve system information with 'whoami' and 'systeminfo.'' Persistence was established through the creation of a new user account and modification of an existing account's password. The attackers also ensured to operate stealthily using masquerading techniques to rename files to evade detection.

Advancing further toward their objective, the attackers downloaded multiple payloads, including the AnyDesk remote access software installing it with the “--start-with-win” command-line argument for persistence during restarts. Other malicious files, such as rev.bat and ngrok.exe, were also dropped into the 'C:\Users\Public' directory. The attackers utilized an encoded PowerShell command to establish a reverse TCP shell for command-and-control (C2), connecting to an external IP address. Data exfiltration was conducted using the 7-Zip archiving tool, with the web server’s working directory archived via the command: 'C:\Program Files\7-zip\7z.exe' a -r _x89z7a.zip '.\*'. The archive was then extracted via a GET request and subsequently deleted to obscure evidence of the attack.

Trend Micro's analysis highlights the capabilities of the web shells used, including variants capable of arbitrary file manipulation, command execution, and uploading additional malicious components. For example, the web shell “cmd2.aspx” leveraged powershell.exe for executing commands, while “0x02.exe” facilitated remote code execution and privilege escalation via named pipes and RPC. The attackers also targeted transactional files and payment data, exfiltrating sensitive information for potential exploitation.