JSPSpy and 'Filebroser': A Custom File Management Tool in Webshell Infrastructure

Description

Researchers have identified a cluster of JSPSpy web shell servers featuring 'Filebroser', a modified version of the open-source File Browser project. The infrastructure spans multiple hosting providers in China and the United States, using both cloud services and traditional ISPs. JSPSpy, a Java-based web shell first observed in 2013, has been used by various threat actors, including the Lazarus Group. The servers typically host JSPSpy on port 80, with one instance on port 8888. Two servers also host the 'filebroser' login panel on port 8001. Detection strategies for JSPSpy include analyzing login page titles and HTTP response headers. The presence of 'filebroser' alongside JSPSpy raises questions about its purpose in attack operations.