Skip to content

S0598 P.A.S. Webshell

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.1

Item Value
ID S0598
Associated Names Fobushell
Type MALWARE
Version 1.0
Created 13 April 2021
Last Modified 13 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Fobushell 2

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account P.A.S. Webshell can display the /etc/passwd file on a compromised host.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols P.A.S. Webshell can issue commands via HTTP POST.1
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.1
enterprise T1059 Command and Scripting Interpreter P.A.S. Webshell has the ability to create reverse shells with Perl scripts.1
enterprise T1213 Data from Information Repositories P.A.S. Webshell has the ability to list and extract data from SQL databases.1
enterprise T1005 Data from Local System P.A.S. Webshell has the ability to copy files on a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.1
enterprise T1083 File and Directory Discovery P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.1
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification P.A.S. Webshell has the ability to modify file permissions.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.1
enterprise T1105 Ingress Tool Transfer P.A.S. Webshell can upload and download files to and from compromised hosts.1
enterprise T1046 Network Service Discovery P.A.S. Webshell can scan networks for open ports and listening services.1
enterprise T1027 Obfuscated Files or Information P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell P.A.S. Webshell can gain remote access and execution on target web servers.1
enterprise T1518 Software Discovery P.A.S. Webshell can list PHP server configuration details.1

Groups That Use This Software

ID Name References
G0034 Sandworm Team 1

References

  1. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  2. NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021.