{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webshell/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Warlock"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["webshell","ransomware","tunneling"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief describes a Warlock attack, as detailed in a Trend Micro analysis, involving the use of web shells, tunneling, and ransomware deployment. The Warlock group compromises systems by leveraging web shells for initial access and establishing tunnels for persistent access and command and control. This access is then used to deploy ransomware, encrypting critical data and demanding ransom payments from victims. The specific ransomware family and web shell variants employed are not detailed in the provided context, but the overall attack flow is consistent with financially motivated cybercrime operations. Defenders should prioritize detection of web shell activity, unauthorized tunneling, and ransomware execution to mitigate the risk of compromise by the Warlock group.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to the target system by exploiting vulnerabilities to deploy a web shell (details of the vulnerability are not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Shell Execution:\u003c/strong\u003e The attacker executes commands through the web shell to perform reconnaissance and identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTunnel Establishment:\u003c/strong\u003e A tunnel is established to maintain persistent access and bypass security controls (specific tunneling technology not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leverages the established tunnel to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to harvest credentials to gain elevated privileges and access to critical resources (specific tools/techniques not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansomware Deployment:\u003c/strong\u003e The attacker deploys ransomware across the network, encrypting files and rendering systems unusable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom Demand:\u003c/strong\u003e A ransom note is left on the compromised systems, demanding payment for decryption keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Possible):\u003c/strong\u003e Prior to encryption, the attacker may exfiltrate sensitive data to further pressure victims into paying the ransom (not explicitly stated, but a common practice).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Warlock attack results in significant disruption to victim organizations through ransomware deployment. Systems are rendered unusable due to encryption, potentially leading to operational downtime and financial losses. If data exfiltration occurs, the confidentiality of sensitive information is also compromised, increasing the potential for reputational damage and legal liabilities. The lack of specific victim counts and sector targeting data in the provided context limits a comprehensive impact assessment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy a web shell detection rule (see below) to identify suspicious web shell activity on web servers based on process creation.\u003c/li\u003e\n\u003cli\u003eImplement a network monitoring rule (see below) to detect unusual tunneling activity based on network connections from web servers.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring to detect unauthorized modifications to web server files that could indicate web shell installation (reference file_event log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:26:28Z","date_published":"2026-03-19T05:26:28Z","id":"/briefs/2024-05-warlock-webshell-ransomware/","summary":"The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.","title":"Warlock Group Deploys Web Shells, Tunnels, and Ransomware","url":"https://feed.craftedsignal.io/briefs/2024-05-warlock-webshell-ransomware/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-50164"}],"_cs_exploited":false,"_cs_products":["Struts 2"],"_cs_severities":["high"],"_cs_tags":["apache-struts","webshell","cve-2023-50164","initial-access","persistence","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eCVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., \u003ccode\u003e*.action\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe HTTP POST request contains a \u003ccode\u003emultipart/form-data\u003c/code\u003e content type with a \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e string.\u003c/li\u003e\n\u003cli\u003eThe request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses security controls due to the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat\u0026rsquo;s \u003ccode\u003ewebapps\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eA Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the deployed web shell via HTTP.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server through the web shell.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Webshell Creation\u0026rdquo; to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Suspicious POST Request\u0026rdquo; to detect suspicious POST requests to Struts endpoints with \u003ccode\u003emultipart/form-data\u003c/code\u003e content containing \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e, as indicated in the Attack Chain.\u003c/li\u003e\n\u003cli\u003ePatch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.\u003c/li\u003e\n\u003cli\u003eEnable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T18:22:00Z","date_published":"2024-01-05T18:22:00Z","id":"/briefs/2024-01-apache-struts-cve-2023-50164-webshell/","summary":"Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.","title":"Apache Struts CVE-2023-50164 Exploitation Leading to Web Shell Deployment","url":"https://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2022-50993"}],"_cs_exploited":false,"_cs_products":["E-office (\u003c 10.0_20221201)"],"_cs_severities":["critical"],"_cs_tags":["cve-2022-50993","file-upload","webshell","rce","e-office"],"_cs_type":"advisory","_cs_vendors":["Weaver"],"content_html":"\u003cp\u003eWeaver E-office, a web-based office automation system, is vulnerable to an unauthenticated arbitrary file upload vulnerability (CVE-2022-50993) affecting versions prior to 10.0_20221201. The vulnerability exists within the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint, allowing remote attackers to upload arbitrary files without authentication. This is achieved by sending multipart POST requests with manipulated filenames and content types. The Shadowserver Foundation observed initial exploitation evidence on October 10, 2022. Successful exploitation enables attackers to upload malicious PHP webshells to the Document directory and execute them via HTTP GET requests, leading to remote code execution on the affected server as the web server user. This can compromise the confidentiality, integrity, and availability of the E-office system and the underlying server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a multipart form with a file upload field.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an arbitrary filename for the uploaded file, typically with a \u003ccode\u003e.php\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe attacker disguises the content type of the uploaded file to bypass basic server-side checks.\u003c/li\u003e\n\u003cli\u003eThe server saves the uploaded file (a PHP webshell) to the Document directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the uploaded PHP webshell file.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution as the web server user, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-50993 allows an unauthenticated attacker to execute arbitrary code on the affected Weaver E-office server. This can lead to complete system compromise, data theft, modification of sensitive data, and disruption of services. The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. While the number of victims and specific sectors targeted are not detailed, organizations using vulnerable versions of Weaver E-office are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weaver E-office to version 10.0_20221201 or later to patch CVE-2022-50993.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Weaver E-office Webshell Upload\u0026rdquo; to detect malicious PHP file uploads to the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to the Document directory with \u003ccode\u003e.php\u003c/code\u003e extensions, indicative of webshell execution.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block suspicious POST requests to \u003ccode\u003eOfficeServer.php\u003c/code\u003e with arbitrary file upload attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-weaver-eoffice-upload/","summary":"Weaver E-office versions prior to 10.0_20221201 are vulnerable to unauthenticated arbitrary file upload in the OfficeServer.php endpoint, allowing attackers to upload PHP webshells and achieve remote code execution.","title":"Weaver E-office Unauthenticated Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-weaver-eoffice-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Webshell","version":"https://jsonfeed.org/version/1.1"}