WP-SHELLSTORM: Webshell Access Brokerage Exposed
A webshell access brokerage revealed scanning of 1.4M sites. Discover details about CVEs and technical insights.
The technical analysis published by SOCRadar revealed that a webshell access brokerage left a directory open for 22 days. Researchers retrieved exploit scripts, obfuscated webshells, and a target list of 1.4 million domains. The confirmed attack numbers vary significantly based on methodology; Ctrl-Alt-Intel recorded around 25,195 validated hits, while SOCRadar noted over 5,700 live webshells.
The primary webshell, down.php, is protected by four layers of obfuscation and derived from the open-source BestShell project. For persistence, a VShell dropper disguised as [kworker/0:2] was used, which is worth checking in IOC hunts for any kworker processes with network sockets.