Overview

 

AhnLab SEcurity intelligence Center (ASEC) has recently detected an attack targeting financial sector companies. The threat actor primarily targeted ASP.NET environments with vulnerable configurations, abusing the ViewState feature supported by ASP.NET. 

ViewState is a fundamental feature of ASP.NET that allows the handling of user input or other data that needs to be maintained on a web page. It processes data through serialization and deserialization in the ASP.NET module, and during the deserialization process, the threat actor’s codes can be executed (CAPEC-586). Such an attack can be mitigated through a message authentication code (MAC) or encryption settings. However, due to inadequate server configurations, attacks become possible if the serialized data is not verified (CWE-642). The threat actor exploited the two vulnerabilities mentioned above to install a web shell on the target PC. 

The web shell malware was identified as Godzilla upon analysis. Godzilla not only executes commands received from the attacker, uploads and downloads files, and runs ShellCode on the compromised PC, but also provides attack tools such as Mimikatz and PetitPotam. The attacker likely used the web shell to perform malicious activities such as lateral movement and malware execution. 

This report covers the analysis of how the threat actor infiltrated the PC to install the web shell and what they intended to accomplish with it. Through the analysis of these initial infiltration cases, the report will provide ways to prevent future incidents and improve vulnerable configurations.

 

Table of Contents

Overview Infiltration Process Analysis 1. Deserialization Attack Using ViewState   1.1. What Is ViewState?   1.2. Command Execution Using ViewState   1.3. Payload Used in the Attack 2. Initial Infiltration Using Web Shell    2.1. Godzilla Web Shell   2.2. Case Analysis  Conclusion and Preventive Measures  Indicators of Compromise (IoCs)

Summary

Payload used in the VIEWSTATE  attacks

 

In an actual attack case, the payload shown in Figure 6 was used. In the __VIEWSTATE field, you can find the serialized payload created by the threat actor.

Figure. Payload used in the VIEWSTATE  attacks

Godzilla WebShell

 

Godzilla Web Shell is distributed in the form of an application (.jar) at the GitHub address shown below. The release information indicates that the version updates were made up to v4.0.1 in November 2021, and as of 2024, no newer versions have been released.

• Godzilla WebShell – https://github.com/BeichenDream/Godzilla

Figure. Release information of Godzilla Web Shell

 

This code functions as a type of Listener, storing binary data in the session information (Context.Session[“payload”]) and retrieving it for use whenever a command is issued by the threat actor. This method operates the binary (malware) stored in session information directly from the memory without creating a file and can be considered a type of fileless approach. Such a type of web shell is called “MemShell.”

Figure. Operation of Godzilla Web Shell

 

MD5

30833ab8ac0c794a3806dbe7c94eaddd

612585fa3ada349a02bc97d4c60de784

69342f321f49dbb1a3912a87731cbf5e

802acfdffe1ea0584b7839533edfbda1

9945815fb0e750d526922582eda2bf39