Security News > 2020 > September > CISA Shares Details on Web Shells Employed by Iranian Hackers
The U.S. Cybersecurity and Infrastructure Security Agency this week released a malware analysis report detailing web shells employed by Iranian hackers.
Web shells provide the hackers with the ability to execute code on the victim systems, enumerate directories, deploy additional payloads, steal data, and navigate the victim network.
CISA's report reveals that an Iranian threat actor targeting IT, government, healthcare, financial, and insurance organizations across the United States was observed employing the ChunkyTuna, Tiny, and China Chopper web shells in their attacks.
CISA, which does not name the Iranian threat actor referenced in their new report, details the functionality of 19 malicious files, many of which are components of the China Chopper web shell.
"The adversary may have used the 'FRP' utility to tunnel outbound Remote Desktop Protocol sessions, allowing persistent access to the network from outside the firewall perimeter. The China Chopper web shell also provides the persistent ability to navigate throughout the victim's network when inside the perimeter. Leveraging the 'KeeThief' utility allows access to sensitive user password credentials and potentially the ability to pivot to user accounts outside of the victim's network," CISA says.