SYMBOLCOMMON_NAMEaka. SYNONYMS
jsp.godzilla_webshell (Back to overview)

Godzilla Webshell

There is no description at this point.

References
2023-03-27ElasticRemco Sprooten
REF2924: how to maintain persistence as an (advanced?) threat
Godzilla Webshell Behinder NAPLISTENER SiestaGraph REF2924
2023-02-13AhnLabkingkimgim
Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign
Godzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit
2022-09-28GigamonPavle Culum, Roman Kroshinsky
Investigating Web Shells
Godzilla Webshell Behinder
2022-04-12Microsoft SecurityDetection and Response Team (DART)
Tarrask malware uses scheduled tasks for defense evasion
Godzilla Webshell
2021-12-02Palo Alto Networks Unit 42Peter Renals, Robert Falcone
APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
Godzilla Webshell
2021-11-07Palo Alto Networks Unit 42Jeff White, Peter Renals, Robert Falcone
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
Godzilla Webshell NGLite
Yara Rules
[TLP:WHITE] jsp_godzilla_webshell_w0 (20230215 | Generic JSP webshell which uses reflection to execute user input)
rule jsp_godzilla_webshell_w0 {
    meta:
        description = "Generic JSP webshell which uses reflection to execute user input"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp"
        date = "2021/01/07"
        hash = "62e6c6065b5ca45819c1fc049518c81d7d165744"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell"
        malpedia_rule_date = "20230215"
        malpedia_version = "20230215"
        malpedia_sharing = "TLP:WHITE"
        malpedia_hash = ""
        malpedia_license = ""

    strings:
        $ws_exec = "invoke" fullword wide ascii
        $ws_class = "Class" fullword wide ascii
        $fp = "SOAPConnection"
    
        //strings from private rule capa_jsp_safe
        $cjsp_short1 = "<%" ascii wide
        $cjsp_short2 = "%>" wide ascii
        $cjsp_long1 = "<jsp:" ascii wide
        $cjsp_long2 = /language=["']java["']/ ascii wide
        // JSF
        $cjsp_long3 = "/jstl/core" ascii wide
        $cjsp_long4 = "<%@p" nocase ascii wide
        $cjsp_long5 = "<%@ " nocase ascii wide
        $cjsp_long6 = "<% " ascii wide
        $cjsp_long7 = "< %" ascii wide
    
        //strings from private rule capa_jsp_input
        // request.getParameter
        $input1 = "getParameter" fullword ascii wide
        // request.getHeaders
        $input2 = "getHeaders" fullword ascii wide
        $input3 = "getInputStream" fullword ascii wide
        $input4 = "getReader" fullword ascii wide
        $req1 = "request" fullword ascii wide
        $req2 = "HttpServletRequest" fullword ascii wide
        $req3 = "getRequest" fullword ascii wide
    
    condition:
        filesize < 10KB and all of ( $ws_* ) and ( 
        $cjsp_short1 at 0 or
            any of ( $cjsp_long* ) or
            $cjsp_short2 in ( filesize-100..filesize ) or
        (
            $cjsp_short2 and (
                $cjsp_short1 in ( 0..1000 ) or
                $cjsp_short1 in ( filesize-1000..filesize ) 
            )
        ) 
        )
        and ( 
            any of ( $input* ) and
            any of ( $req* ) 
        )
        and not $fp
}
Download all Yara Rules