What is a web?
The web is a shell-based interface (in the operating system means the connection between the user and the operating system) that enables remote access and control of the web server. This way hackers can access your files using a malicious web browser. Web pages can be written in a variety of programming languages.
In other words, WebShell is a malicious script that is often used by an attacker to spread or maintain constant access to a Web system. A Web site by itself cannot attack or exploit a remote vulnerability, so it is always the second stage of the attack.
Obfuscation ( Obfuscation ) What?
Obfuscation in the field of software development refers to the process of modifying the code of an application in a way that is difficult for humans or machines to examine and understand (such as antivirus). They often use ambiguity techniques to hide the purpose and logic behind the code or the values contained in it, thus reducing the likelihood of interference and reverse engineering, or turning it into a puzzle and hobby for people who want to learn.
Blurring can be done manually or with the help of special tools called obfuscators. Some of the ambiguity techniques are as follows:
- Naming variables and functions as misleading or meaningless
- Use deceptive comments
- Coding of strings
- Delete or add spaces
- Ambiguity in Control Flow
- Add irrelevant code and write code with an unusual shape and appearance
Deobfuscation Alfa Shell tool code
Alfa Shell is one of the most widely used websites attributed to Iranian experts. There are about four major versions of this webpage, and I have reviewed the Deobfuscation method for the previous three versions in the past. Here I am going to review version 4.1 (the latest version of Alfa Shell).
برای شروع ابتدا باید سورس مبهمسازی شده الفا را دریافت کنیم.
سپس باید کد مربوطه را در یک فایل با نام دیگر ذخیره کنیم که در اینجا با نام alfav4.1-tesla_encode_1.php ذخیره کردیم.
در گام بعدی مقدار متغیر $WMKVyvv=’e’.’v’.’a’.’l’ را به $WMKVyvv=’echo’; تغییر میدهیم. و سپس این دستور را در ترمینال لینوکس اجرا می کنیم:
php alfav4.1-tesla_encode_1.php > alfav4_decode.php
محتوای دیکد شده در فایل جدید alfav4_decode.php ذخیره می شود:
متنی زیر را در ابتدای این فایل مشاهده میکنید:
/* You’re killing me again 🎧 Am I still in your head ? 🎧 You used to light me up 🎧 Now you shut me down — Solevisible */
این متن از موزیک Archive – Again می باشد:
نکته بعدی این که یک شرط به شرح زیر در کد وجود دارد:
According to this condition, the execution of Inobchell must be done through a web server, otherwise it will be exited from the program. We comment on this line of code to continue the work.
Following the path, by adding the base64decode code, we will be able to continue the Deobfuscation of the ALFA Shell code. The path of the added code is as follows:
Then run the following command again in the Linux terminal:
php alfav4_decode.php > final_decode.php
Now we see that the output of the broken ambiguous code was saved in the final_decode.php file. This file can be downloaded from the following link:
مقایسه نسخهی Decode شدهی ما با نسخهی Decode شدهی Alpha
The following file is a decoded version of what the Alpha team provided with its encoded version. Here we are going to compare our decoded output with the decoded version of Alpha to see what the differences are:
For this purpose, we uploaded the two mentioned files for comparison on the following site, which, based on the obtained result, are no different from each other. So we conclude that the decoding process is well underway.
بررسی استاتیک static
One of the most common methods used by hackers to steal access from other non-professional hackers is to generate and spread malware that, if used, acts as a backdoor for malware-causing attackers. Accordingly, we intend to continue to review and analyze this website to see if it acts as a back door for its manufacturers (Alpha team) or not?
In this step, we checked whether this webmail, if installed, tries to communicate with a specific address or not. For example, it is common for infected websites to send their URLs to their manufacturers after installation. Examining the codes related to this section, no suspicious case was observed.
It was observed that WebShell sends an HTTP request to http://solevisible.com after installation. As a result, if you upload this web site somewhere, a request will be sent to this address and the IP address of the infected server will be registered on the solevisible.com web server. An example of an Apache log structure is shown in the following figure:
بررسی کدهای Python و Perl
According to the review, part of this webcall calls obfuscate code in Python and Perl languages. This section of WebShell is responsible for creating Reverse Shells on Linux servers. As a result, I also Deobfuscate these codes to see if there is anything suspicious or malicious in them. You can get these codes from the following addresses:
I thoroughly reviewed both of these sections and finally found no suspicious items in this section of the web.
فایل باینری windows.exe
This binary file is automatically downloaded and executed from http://solevisible.com/bc/windows.exe if you need to get a NC as a Reverse Shell. We also checked this file with GHIDRA and found no suspicious items. The interesting thing about this file is that it is known as malware by some antiviruses and if you use it, it will be detected by antivirus web server.
بررسی شناسایی وبشل نسخهیDeobfuscate شده با نسخهی Obfuscate
As you can see in the figure below, our Deobfuscate version is detected by some antivirus as malware.
مطابق تصویر زیر، نسخهی obfuscate شده توسط هیچکدام از آنتیویروسها شناسایی نشد.
در تصویر زیر نیز نتیجهی تحلیل نسخهی بدونobfuscate که توسط خود تیم آلفا ارایه شده است را مشاهده میکنید.
Investigations revealed no malicious activity from this web server, but the address of the server on which you installed the web server will be sent to the alpha team server. Therefore, in your penetration testing activities or your red team, do not use ready-made tools as much as possible, or at least check them carefully before use. We also saw that slightly modifying or obfuscating the code of a malware would have a significant effect on how antivirus responds to that malicious file or code.