S0598 P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.1
| Item | Value |
|---|---|
| ID | S0598 |
| Associated Names | Fobushell |
| Type | MALWARE |
| Version | 1.0 |
| Created | 13 April 2021 |
| Last Modified | 25 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Fobushell | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | P.A.S. Webshell can display the /etc/passwd file on a compromised host.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | P.A.S. Webshell can issue commands via HTTP POST.1 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.001 | Password Guessing | P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.1 |
| enterprise | T1059 | Command and Scripting Interpreter | P.A.S. Webshell has the ability to create reverse shells with Perl scripts.1 |
| enterprise | T1213 | Data from Information Repositories | - |
| enterprise | T1213.006 | Databases | P.A.S. Webshell has the ability to list and extract data from SQL databases.1 |
| enterprise | T1005 | Data from Local System | P.A.S. Webshell has the ability to copy files on a compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.1 |
| enterprise | T1083 | File and Directory Discovery | P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.1 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | P.A.S. Webshell has the ability to modify file permissions.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.1 |
| enterprise | T1105 | Ingress Tool Transfer | P.A.S. Webshell can upload and download files to and from compromised hosts.1 |
| enterprise | T1046 | Network Service Discovery | P.A.S. Webshell can scan networks for open ports and listening services.1 |
| enterprise | T1027 | Obfuscated Files or Information | P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | P.A.S. Webshell can gain remote access and execution on target web servers.1 |
| enterprise | T1518 | Software Discovery | P.A.S. Webshell can list PHP server configuration details.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1003 | Ember Bear | Ember Bear has used P.A.S. Webshell during intrusions.3 |
| G0034 | Sandworm Team | 1 |
References
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021. ↩
-
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. ↩