1. Home
  2. Software
  3. P.A.S. Webshell

P.A.S. Webshell

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]

ID: S0598
Associated Software: Fobushell
Type: MALWARE
Platforms: Linux, Windows
Version: 1.0
Created: 13 April 2021
Last Modified: 13 April 2021

Associated Software Descriptions

Name Description
Fobushell

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1213 从信息存储库获取数据

P.A.S. Webshell has the ability to list and extract data from SQL databases.[1]
Enterprise T1005 从本地系统获取数据

P.A.S. Webshell has the ability to copy files on a compromised host.[1]
Enterprise T1140 反混淆/解码文件或信息

P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[1]
Enterprise T1059 命令与脚本解释器

P.A.S. Webshell has the ability to create reverse shells with Perl scripts.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

P.A.S. Webshell can issue commands via HTTP POST.[1]
Enterprise T1083 文件和目录发现

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.[1]
Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

P.A.S. Webshell has the ability to modify file permissions.[1]
Enterprise T1110 .001 暴力破解: Password Guessing

P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.[1]
Enterprise T1505 .003 服务器软件组件: Web Shell

P.A.S. Webshell can gain remote access and execution on target web servers.[1]
Enterprise T1027 混淆文件或信息

P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[1]
Enterprise T1070 .004 移除指标: File Deletion

P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.[1]
Enterprise T1046 网络服务发现

P.A.S. Webshell can scan networks for open ports and listening services.[1]
Enterprise T1087 .001 账号发现: Local Account

P.A.S. Webshell can display the /etc/passwd file on a compromised host.[1]
Enterprise T1518 软件发现

P.A.S. Webshell can list PHP server configuration details.[1]
Enterprise T1105 输入工具传输

P.A.S. Webshell can upload and download files to and from compromised hosts.[1]

Groups That Use This Software

ID Name References
G1003 Ember Bear

Ember Bear has used P.A.S. Webshell during intrusions.[3]
G0034 Sandworm Team

[1]

References

  1. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  2. NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021.
  1. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.