HC3: Stealthy Godzilla Web Shell Used by Chinese APT Groups in Attack Chain
The Health Sector Cybersecurity Coordination Center (HC3) has issued an Analyst Note to raise awareness of a stealthy backdoor – the Godzilla web shell – that is being used by Chinese state-sponsored threat groups to gain persistent remote access to victims’ networks.
Web shells are tools used by threat actors to remotely interact with compromised web servers via a web browser. A web shell can be written in any language supported by the web server and consists of a web script that is dropped on a compromised system that allows the threat actor to interact with the underlying system. Provided the web shell is not detected; the threat actor gains persistent backdoor access to that system. Web shells can be used to run commands on the compromised system, execute code, move laterally, and deliver malicious payloads. The problem for threat actors is that their web shells are increasingly being detected by security solutions.
In response to these detections, a threat actor with the handle BeichenDream claims to have created a stealthy web shell called Godzilla that encrypts its network traffic using Advanced Encryption Standard encryption, making it much harder to detect. Since the web shell is maintained in a public repository, it can be accessed and used by any threat actor with relative ease. Researchers believe with a relatively high level of confidence that the Godzilla web shell is being used by Chinese state-sponsored hackers.
The Godzilla web shell can collect system information such as network configurations, operating systems, and installed software and is used for file management and manipulation, including file uploads, downloads, running commands and executing files, and deleting and modifying files. In addition to using encryption, the web shell executes in the memory, making detection challenging.
Advanced persistent threat actors have been observed using the Godzilla web shell in 2021 in attacks on multiple sectors that exploited an authentication bypass vulnerability in Zoho’s ManageEngine Password Manager. Last year, the Chinese hacking group APT Dalbit (M00nlight) was observed using the Godzilla web shell and other tools in attacks on multiple sectors. Defending against web shells, especially stealthy web shells such as Godzilla, can be a challenge. HC3 has recommended several resources in its Analyst Note on the detection and prevention of web shell malware attacks.
