Discover Invisible Fileless Webshell in the APT attack
Date: 13th Oct – SundayTime: 14:00-14:30Location: Ballroom A
APT groups always try to hide and be persistent inside their target environment. Although MITRE ATT&CK matrix try to collect knowledge of all adversary tactics and techniques, new techniques or skills will still show up. Recently, we found a new technique are being utilized in multiple operation and APT groups, including BlackTech, WINNTI and Operation ShadowHammer. Once while doing incident response, we found typing special URL path can trigger invisible webshell backdoor in the windows webserver without leaving any logs. The way this attack used let it hard to detect since it does not need to leave file inside webserver, it doesn’t have its own process and no log will be created. This kind of webshell backdoor can be used in any windows platform even if it doesn’t have webserver installed.
In this presentation we will show up the complete attack of this kind of backdoor cases, threat indicators, victims and disaster assessment.
What kind of technique or special windows API they used to achieve fileless, logless, processless webshell?
What should we do when doing incident response with this kind of invisible webshell?
And furthermore, we also using some windows undocumented API to build a new tool trying to catch up this kind of backdoor from memory while doing incident response.