Track Common Adversary Tasks Performed Using ASPXSpy

 





To know more about it, you can go through my detailed document by clicking here






Overview

The ASPXSpy malware is a web shell modified by Threat Group-3390 as a backdoor payload, which allows the attackers to control the compromised Windows server as well as fetch, install, and execute other malware payloads on the already infected system. It can also open specific ports on the compromised system, which may result in more damage.

Remedy

The following techniques may be of great help in the defense against ASPXSpy as well as the other similar threats:
  • Identifying the digital shadow assets, along with the cloud hosts, with the help of Attack Surface Management solution. 

  • Always keeping track of the passwords conditions in your organization at all times (mainly under peak conditions).

  • Taking quick actions on all the alerts provided by your Threat Intelligence or Digital Risk Protection platforms.

  • Keeping track of all the potential weaknesses on your internet infrastructure such as expired domains, SSL certificates, or subdomains.


Conclusion

Based on our information, we can deduce the following:
  • It is used by the threat actors so extensively mainly because they are easy to use and hard to detect.

  • Some of the techniques used to identify web shells are YARA rules, Sigma rules, network traffic pattern, internal/external scanning, etc., that offers plenty of opportunities to detect web shells on their systems.

  • HTTP scanning method may come in handy for the security teams having limited host and network visibility.

  • Since it is rather easy to target public-facing servers, threat actors will continue to use web shells in order to maintain persistence and offer extra capabilities. 

















To know more about it, you can go through my detailed document by clicking here






















Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)