Malware analysis

CISA report: Iranian web shells (and other MARs)

February 4, 2021 by Beth Osborne


The Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (AR20-259A) regarding MAR-10297887-1.v1 – Iranian Web Shells. The report provides insight on a known Iranian cyber actor targeting industries (information technology, healthcare, financial and insurance companies) across the US. The threat report details the cyber actor’s intensive effort to attack the virtual private network (VPN) and remote work infrastructure of the US. 

In this article, we’re unpacking the AR20-259A report for cybersecurity professionals.

CVEs led to access

To begin the discussion, you’ll need to understand the process of the cyber actor. First, the attacker seizes on known Common Vulnerabilities and Exposures (CVEs) relating to three platforms: F5 load balancers, Juniper Pulse Secure and Citrix.

What are these CVEs?

F5 vulnerability

CVE-2020-5902: This vulnerability involves TMUI (Traffic Management User Interface), which is an essential configuration utility within the system. Both authenticated and non-authenticated attackers can exploit this issue, allowing the threat actor to execute system commands and change systems in many ways. F5 put out a release in June regarding this, warning of compromise and urging users to install the latest version to protect BIG-IP.

Pulse Secure vulnerabilities

Two vulnerabilities impact Pulse Secure. CVE-2019-11539 allows an authenticated attacker to use the administrative interface to perform command injection. If successful, the threat actor can modify systems and install malware. The National Institute of Standards and Technology (NIST) rated it of high severity.

CVE-2019-11510 enables an unauthenticated attacker to send a Uniform Resource Identifier (URI) request to a vulnerable system. The attacker can then access usernames and passwords. NIST marked this at critical severity

Citrix vulnerability

CVE-2019-19781: When Citrix products cannot handle a specified web request, execution of remote code or directory traversal event occurs. It’s exploitable by bad actors who can gain access to internal network resources. Citrix advises users to upgrade to a fixed build or apply a provided mitigation. 

Post-exploitation and web shells

Post-exploitation, the individual uses open source web shells and/or modified versions of the web shells to further penetrate the victim’s network. Those web shells are ChunkyTuna, Tiny and China Chopper. 

What is a web shell? 

A web shell is a malicious code or script on a server that enables remote administration. An attacker uses this method to maintain persistent access on an already compromised web application. The web shell itself doesn’t attack or exploit. It’s the second step or post-exploitation. 

Web shells can be written in any language, but PHP is the most common. Web shells are typically not detected by antivirus or anti-malware software because they don’t use typical executable file types. 

The assessment found 18 malicious files, including an application service provider (ASP) application that listens for incoming Hypertext Transfer Protocol (HTTP) connections from a remote location. Using the China Chopper web shell enables the operator to pass and execute JavaScript code on a victim’s system. Additionally, the operation can implement command and control (C2) capabilities, such as enumerating directories, uploading and activating payloads and exfiltrating data. 

The report also identifies a program data (PDB) file and a binary that is a compiled version of the open-source project FRP. FRP provides an infiltrator to tunnel various connection types to a remote operator outside of the victim’s network perimeter. The open-source project KeeThief was found as well. Such code affords operators access to encrypted password credentials stored by Microsoft’s password management software, KeePass.

All methods were used in concert by the threat actor. The conclusion is that the perpetrator had constant remote access to networks, navigating through and capturing sensitive password data to then redirect accounts out of the victim’s network. 

Detailed findings

The report goes through each malicious file. It describes the contents of each file, defining it as a malicious web shell and what the web shell enables the threat actor to do. Extracted code from the Iranian web shells is also part of the report. Below are some specific points for each file:

  • 553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f (trojanwebshell): The code within the file decodes and executes data by means of a JavaScript “eval” function. It’s believed to be a component of the China Chopper web shell.
  • 134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13 (trojanwebshell): The code pulls JavaScript from an existing “Request Object.” It, too, is part of the China Chopper web shell.
  • 17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c (webshell): This is a compiled file generated from a compilation of an ASP.NET application. It’s not executable but should be an indicator of compromise (IOC).
  • 5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a (webshell): The report identifies this as a malicious web shell and is a variant of the China Chopper web shell.
  • 99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc (webshell): This implant allowed the remote operator to execute JavaScript payloads. It contained malicious JavaScript code and is a variant of the China Chopper web shell.
  • 28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea (webshell): This is the PDB file referenced and correlates to an application called “App_Web_tcnma5bs.dll.”
  • 55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c (proxywebshell): The file is a compiled version of FRP. It works as an administrative tool that provides access to systems outside of the victim’s networks. 
  • f7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde (webshell): This is a configuration file used by the FRP binary. 
  • 913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0 (Trojan): This file is a malicious PowerShell script and decrypts KeePass files to steal victim credentials.
  • 10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334 (trojan): This file is Windows executable, using .NET. It’s a KeyTheft application that aids in trying to access and decrypt passwords.
  • 51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21 (webshell): This file has two PHP code blocks. The first extracts information from a dictionary data structure to enable remote operators. The second parses the variable $_GET and allows a remote operator to execute commands within the compromised system.
  • 547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c (backdoortrojanwebshell): This file can extract data within a Request object to decode data in redacted parameters. The assumption is that it’s a malicious JavaScript payload.
  • b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249 (backdoor): This file is a malicious PHP script and can retrieve data from the “k0” key. The data can then be executed within the compromised system and was also part of remote operations.
  • 2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849 (webshell): This file contains only bash shell scripting code. It can modify NetScaler devices and clear out all files related to it. 
  • b36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a (backdoortrojanwebshell): This file has PHP script which can receive a web POST, extract and Base64 decode the data. 
  • 8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3 (remote-access-trojanwebshell): This file is a modification of ChunkyTuna and enables remote operator C2 activities. 
  • 3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c (webshell): This script listens for incoming HTTP GET connections. Its design is to assist remote operators to add accounts to a compromised NetScaler device.
  • 4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756 (backdoortrojanwebshell): This malicious PHP script accepts POST requests and extracts data. Remote operators can then execute additional PHP payloads.

What can you do to protect against Iranian web shells?

The most important step any IT team can take is to install the patches available for the CVEs. To avoid being the victim of Iranian web shells is to activate these patches. See the links below for more information. 

Pulse Secure patches

Citrix patches

Final takeaways regarding AR20-259A

At the end of the AR20-259A, CISA provides a list of recommendations that organizations should implement to bolster their security posture. These best practices can protect against Iranian web shells or those from other threat actors that use similar tactics. Here are some of their suggestions, along with other security must-haves for business.

  • Keep antivirus up to data across the entire network.
  • Always patch operating systems—even if it seems inconsequential.
  • Disable file and printer sharing services, or alternatively, use passwords and authentication.
  • Restrict permissions internally relating to the ability to install new software applications (having a documented procedure on this is helpful).
  • Make strong passwords mandatory and prompt users to update them regularly.
  • Train all employees on phishing techniques and why they should never click or download attachments from unknown senders.
  • Install personal firewalls that don’t allow unsolicited connection requests.
  • Continually scan networks, software downloads, and devices for suspicious files, codes and so on.
  • Blacklist websites known to be malicious so that users cannot access them.

Protecting against Iranian web shells requires proactive and vigilant protections

The best way to protect against Iranian web shells or similar threats is to have a proactive approach to cybersecurity and continuous vigilance against cyberattacks. Awareness and anti-phishing training and upskilling team members with certification courses are critical in such an environment. Learn more about implementing these things in your organization today by viewing our capabilities



Malware Analysis Report (AR20-259A), Cybersecurity & Infrastructure Security Agency

CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance, Citrix

Citrix SD-WAN (NetScaler SD-WAN), Citrix

Citrix ADC (NetScaler ADC), Citrix

Citrix Gateway (NetScaler Unified Gateway), Citrix

Mitigation Steps for CVE-2019-19781, Citrix

Protect Against the BIG-IP TMUI Vulnerability CVE-2020-5902, F5

SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX, PulseSecure

K52145254: TMUI RCE vulnerability CVE-2020-5902, F5

CVE-2019-11539 Detail, NIST

CVE-2019-11510 Detail, NIST

Posted: February 4, 2021
Beth Osborne
View Profile