Threat Intelligence Report - Active Webshell: DBS.php

DBS.php is a dropper, a wrapper used to obfuscate the end payload the attacker wants to use and provide a dedicated and simple command and control implantation. On its own DBS.php is not damaging but the payloads it can deliver are.

“Spray and Pray” attacks are the reality for all hosts exposed to the internet on a daily basis, as we outlined in our recent cybersecurity report, "Critical Watch Report". In many cases cyber attackers use very similar payloads to gain initial access to the victim system which then automatically proceeds to deploy more complex payloads, such as cryptomining software and more complex command and control.

Indicators of Compromise

In more detail

Alert Logic’s researchers and analysts in our security operations center(SOC) constantly observe attackers probing systems (that are exposed to the internet) for weaknesses that can lead to ways to gain control. By far the most common are the Remote Code Execution (RCE) and Arbitrary (or Unrestricted) File Upload variety.

Both of these vectors require the attacker to circumvent some intended operation of a system to run once or make their own application available, that can then be executed in the context of the remote system. Both have the same ultimate goal - Acquiring persistence on the victim using some piece of malware, webshell or other access method.

In more recent times the ultimate payload has been a cryptocurrency miner, as we recognized in our recent 2018 Critical Watch Report. But the exact steps an attacker takes to get this cryptominer (or whatever the final payload may be) onto the system can vary greatly.

When an attacker first attempts to breach a victim, they tend not to use the final payload they intend. That would be giving the game away. More typically we see “droppers” being used – an initial payload whose only purpose is to act as a conduit for a secondary or tertiary payload. This system allows cyber attackers to perform more scalable and flexible malicious infrastructures but introducing more steps in the chain creates more opportunities for threat detection , and a created window for detection before the final payload is delivered, if the correct techniques are employed.

One such dropper observed in the recent past (usually called db.php or dbs.php), has been observed in use by attackers targeting exploitation of ModX Revolution vulnerability CVE-2018-1000207. If we can detect the successful execution of that payload, then we have the opportunity to provide the exploited system owner with enough advanced notice to resolve the issue before the final payload is delivered.

At the time of writing, we do not believe this has been uploaded onto virustotal and Alert Logic research is spending further time talking through its operation to provide assistance to customers or other defenders. We have provided an image of the dropper code later in the article. This is very lightweight, purely functional, and being used exclusively for the purposes of enabling secondary infection.

Image 1: dbs.php shell contents

Our first observation of this payload in use was 23 July 2018, and we have seen it consistently used across different campaigns to date. The dbs.php webshell contains a simple uploader function and requires the user to access the shell using a specific URI parameter defined in the shell. This will give access to a basic HTML interface that enables the threat actor to upload files to the compromised system, as you can see from image 2. Depending on the variation some parameter names will be different.

Image 2: dbp.php HTML interface for potential manual secondary payload upload

The presence of a UI allows for the possibility for cyber attackers to control the system directly and manually, making it easier for attackers to extend their reach by uploading new content and experimenting further. This presents a greater threat than an entirely API or script reliant webshell in that any time an attacker is allowed to take the time to manually assess or evaluate a set of targets the risk of lateral movement and obfuscation increases significantly.