P.A.S. Webshell

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]

ID: S0598
Associated Software: Fobushell
Type: MALWARE
Platforms: Linux, Windows
Version: 1.0
Created: 13 April 2021
Last Modified: 13 April 2021

Associated Software Descriptions

Name Description
Fobushell

[2]

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

P.A.S. Webshell can display the /etc/passwd file on a compromised host.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

P.A.S. Webshell can issue commands via HTTP POST.[1]

Enterprise T1110 .001 Brute Force: Password Guessing

P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.[1]

Enterprise T1059 Command and Scripting Interpreter

P.A.S. Webshell has the ability to create reverse shells with Perl scripts.[1]

Enterprise T1213 Data from Information Repositories

P.A.S. Webshell has the ability to list and extract data from SQL databases.[1]

Enterprise T1005 Data from Local System

P.A.S. Webshell has the ability to copy files on a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[1]

Enterprise T1083 File and Directory Discovery

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.[1]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

P.A.S. Webshell has the ability to modify file permissions.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.[1]

Enterprise T1105 Ingress Tool Transfer

P.A.S. Webshell can upload and download files to and from compromised hosts.[1]

Enterprise T1046 Network Service Discovery

P.A.S. Webshell can scan networks for open ports and listening services.[1]

Enterprise T1027 Obfuscated Files or Information

P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

P.A.S. Webshell can gain remote access and execution on target web servers.[1]

Enterprise T1518 Software Discovery

P.A.S. Webshell can list PHP server configuration details.[1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[1]

References