The Sandworm Team, a destructive threat group linked to Russia’s military intelligence, has displayed a new trend by using an ASPX web shell in 2024. This web shell, while simple, allows for various malicious activities such as executing system commands, managing files, and creating firewall rules. The emergence of this backdoor highlights increased attention by APT groups towards web security. Affected: web security, IT infrastructure, cybersecurity
Keypoints :
- Sandworm Team attributed to Russia’s GRU military unit 74455.
- New ASPX web shell discovered in 2024 shows a trend towards web security focus among APT groups.
- Web shell allows for executing system commands and managing firewall rules.
- Utilizes obfuscation techniques in its code to evade detection.
- Can recursively delete files and directories, facilitating deeper access into systems.
MITRE Techniques :
- Command and Control (T1071.001): The web shell can accept system command inputs and print output results.
- Exfiltration over Command and Control Channel (T1041): Uploading and downloading files through the web shell.
- Remote File Copy (T1105): The web shell can execute commands to manage files, including moving them to different paths.
- Firewall Bypass (T1571): Creating a new Windows Firewall rule to allow inbound traffic on TCP port 250.
- File and Directory Manipulation (T1070.004): The web shell can read, delete, and manage files recursively.
Indicator of Compromise :
- [MD5] 7c33812c068c79190554b797dfd46629
- [SHA-256] fbb42cf1326ca34c1f4e9149063418bc2136dbf79c46ed40599c479743c12171
Full Story: https://malwareanalysisspace.blogspot.com/2025/02/the-apt44-known-as-sandworm-used-simple.html