Analysis of an incident involving a web shell used as a backdoor

March 3, 2025, 4 p.m.

Description

A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backdoor with encrypted communication capabilities. The incident highlights the importance of memory-based threat detection and continuous learning for SOC teams. A YARA rule was developed to identify similar payloads, and indicators of compromise were provided.

External References

https://securelist.com/soc-files-web-shell-chase/115714/
https://otx.alienvault.com/pulse/67c1c883b5ef0fb158dcc35f
Tags
privilege escalation
badpotato
behinder
godpotato
web shell
southeast asia
2025-02-28
memory-based threats
sweetpotato
potato tools

Date

  • Created: Feb. 28, 2025, 2:30 p.m.
  • Published: Feb. 28, 2025, 2:30 p.m.
  • Modified: March 3, 2025, 4 p.m.

Attack Patterns

  • SweetPotato
  • Behinder
  • GodPotato
  • BadPotato

Additional Informations

  • Government