16 Bytes in an HTTP POST Request — and Critical Infrastructure Is in the Hands of the Attacker
Fortinet has analyzed a script that controls infected IIS servers via encrypted POST requests.
Fortinet has analyzed a script that controls infected IIS servers via encrypted POST requests.
The FortiGuard Labs team published a detailed analysis of a heavily obfuscated web shell used in attacks on critical infrastructure in the Middle East. The research focuses on the script UpdateChecker.aspx, which runs on Microsoft IIS. It's written in C# as an ASPX page and conceals its true functionality behind layers of encoded and encrypted code. All method, variable, and class names were randomly generated and then encoded in Unicode. Any constants, including strings and numbers, were either encrypted or encoded.
During the analysis, researchers deobfuscated the code and renamed the random identifiers to readable ones. The main function, Page_Load, is triggered when a command is received from the attacker. The shell is controlled through HTTP POST requests with the content type application/octet-stream. Without this header, the request is rejected and an error page is returned.
The body of the request is first Base64-encoded and then decrypted step by step. The first 16 bytes contain an encrypted key, which is decoded to retrieve 15 bytes of the actual key and 1 padding byte. This key is then used to decrypt the rest of the command data. The shell’s response is formatted as JSON, then encrypted and encoded back into Base64.
The script supports three core modules for system control:
- Base module: Retrieves server information.
- CommandShell module: Executes system commands in the specified working directory.
- FileManager module: Manages files and directories, including creation, copying, moving, deletion, metadata editing, and listing disks and the root web directory.
To demonstrate the shell’s capabilities, Fortinet developed a Python script that simulates an attacker sending commands to the web shell and receiving responses. This allowed for a clear demonstration of functionalities such as command execution, file manipulation, and server data retrieval.
The analysis of UpdateChecker.aspx exposed the complex architecture of the web shell and revealed how attackers maintain covert and secure control over the system. The script handles communication using JSON, making automated command execution and response parsing easier.
