Microsoft Defender Security Research Team has reported a growing trend where threat actors are using HTTP cookies as a control mechanism for PHP-based web shells on Linux servers, facilitating remote code execution.
Mechanism of Attack
According to Microsoft, these web shells operate by relying on cookie values supplied by the attackers to manage execution, rather than exposing command execution through URL parameters or request bodies. This method enhances stealth, allowing malicious code to remain dormant during regular application operations and activate only when specific cookie values are detected.
Implementation Details
The cookie-controlled execution model manifests in various forms. For instance, one implementation involves a PHP loader that employs multiple layers of obfuscation and runtime checks before executing an encoded secondary payload based on structured cookie input. Another version segments structured cookie data to reconstruct operational components, such as file handling functions, which can conditionally write and execute a secondary payload. Additionally, a simpler PHP script may utilize a single cookie value to trigger actions controlled by the attacker, including executing supplied input and uploading files.
Persistence and Evasion Techniques
In some cases, attackers gain initial access to a victim’s Linux environment through valid credentials or by exploiting known vulnerabilities. They then set up a cron job that periodically invokes a shell routine to execute an obfuscated PHP loader. This architecture allows the PHP loader to be recreated consistently, even if removed during cleanup efforts, thereby establishing a persistent remote code execution channel.
Mitigation Recommendations
To counter this threat, Microsoft suggests several mitigations: enforcing multi-factor authentication for hosting control panels and SSH access, monitoring for unusual login activity, restricting shell interpreter execution, auditing cron jobs, and checking for suspicious file creations in web directories. They emphasize that the use of cookies as a control mechanism indicates a reuse of established web shell tactics, enabling persistent access that can evade traditional inspection and logging controls.
Microsoft concludes that this approach allows threat actors to leverage legitimate execution paths within the environment, minimizing observable indicators in routine application logs.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
