1. Home
  2. Software
  3. P.A.S. Webshell

P.A.S. Webshell

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]

ID: S0598
Associated Software: Fobushell
Type: MALWARE
Platforms: Linux, Windows
Version: 1.0
Created: 13 April 2021
Last Modified: 25 April 2025
Version Permalink

Associated Software Descriptions

Name Description
Fobushell

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

P.A.S. Webshell can display the /etc/passwd file on a compromised host.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

P.A.S. Webshell can issue commands via HTTP POST.[1]
Enterprise T1110 .001 Brute Force: Password Guessing

P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.[1]
Enterprise T1059 Command and Scripting Interpreter

P.A.S. Webshell has the ability to create reverse shells with Perl scripts.[1]
Enterprise T1213 .006 Data from Information Repositories: Databases

P.A.S. Webshell has the ability to list and extract data from SQL databases.[1]
Enterprise T1005 Data from Local System

P.A.S. Webshell has the ability to copy files on a compromised host.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[1]
Enterprise T1083 File and Directory Discovery

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.[1]
Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

P.A.S. Webshell has the ability to modify file permissions.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.[1]
Enterprise T1105 Ingress Tool Transfer

P.A.S. Webshell can upload and download files to and from compromised hosts.[1]
Enterprise T1046 Network Service Discovery

P.A.S. Webshell can scan networks for open ports and listening services.[1]
Enterprise T1027 Obfuscated Files or Information

P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

P.A.S. Webshell can gain remote access and execution on target web servers.[1]
Enterprise T1518 Software Discovery

P.A.S. Webshell can list PHP server configuration details.[1]

Groups That Use This Software

ID Name References
G1003 Ember Bear

Ember Bear has used P.A.S. Webshell during intrusions.[3]
G0034 Sandworm Team

[1]

References

  1. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  2. NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021.
  1. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.