Connect with us

Hi, what are you looking for?



CISA Shares Details on Web Shells Employed by Iranian Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released a malware analysis report (MAR) detailing web shells employed by Iranian hackers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released a malware analysis report (MAR) detailing web shells employed by Iranian hackers.

Web shells provide the hackers with the ability to execute code on the victim systems, enumerate directories, deploy additional payloads, steal data, and navigate the victim network. Additional components can be employed to expand the attacker’s command and control (C&C) capabilities.

CISA’s report reveals that an Iranian threat actor targeting IT, government, healthcare, financial, and insurance organizations across the United States was observed employing the ChunkyTuna, Tiny, and China Chopper web shells in their attacks.

The same actor, the report reveals, was observed targeting well-known vulnerabilities, including those in Pulse Secure virtual private network (VPN), Citrix Application Delivery Controller (ADC) and Gateway, and F5’s BIG-IP ADC products.

At the end of August, Crowdstrike revealed that the Iran-based cyber-espionage group known as PIONEER KITTEN, PARISITE, UNC757, and FOX KITTEN, which is believed to be operating on behalf of the Iranian government, has been targeting the same vulnerabilities in opportunistic attacks on numerous sectors.

CISA, which does not name the Iranian threat actor referenced in their new report, details the functionality of 19 malicious files, many of which are components of the China Chopper web shell.

The web shell supports the delivery and execution of JavaScript code, but also includes components to listen for incoming HTTP connections from the attacker server (an application service provider (ASP) application), and to enable directory enumeration, payload execution, and data exfiltration capabilities.

A version of the open source project FRP was also employed, for the tunneling of various types of connections (a February 2020 ClearSky report also revealed the use of FRP in FOX KITTEN attacks), and a PowerShell shell script was used to access encrypted credentials stored by Microsoft’s KeePass password management software.

Advertisement. Scroll to continue reading.

“The adversary may have used the ‘FRP’ utility to tunnel outbound Remote Desktop Protocol (RDP) sessions, allowing persistent access to the network from outside the firewall perimeter. The China Chopper web shell also provides the persistent ability to navigate throughout the victim’s network when inside the perimeter. Leveraging the ‘KeeThief’ utility allows access to sensitive user password credentials and potentially the ability to pivot to user accounts outside of the victim’s network,” CISA says.

CISA’s report also details 7 additional files that were identified as ChunkyTuna and Tiny web shells, and which are meant to provide operators with the ability to pass commands and data from remote servers.

Related: Iranian Hackers Target Critical Vulnerability in F5’s BIG-IP

Related: Iranian Hackers Exploited Enterprise VPN Flaws in Major Campaign

Related: Iran-Linked Hackers Accidentally Exposed 40 GB of Their Files

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.