"Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality."
"The approach offers added stealth as it allows malicious code to stay dormant during normal application execution and activate the web shell logic only when specific cookie values are present."
"The cookie-controlled execution model comes in different implementations, including a PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute an encoded secondary payload."
Threat actors are increasingly utilizing HTTP cookies as a control channel for PHP-based web shells on Linux servers, facilitating remote code execution. This method allows malicious code to remain dormant during normal operations, activating only when specific cookie values are present. The technique leverages the $_COOKIE superglobal variable, enabling attacker-supplied inputs to be processed without additional parsing. Various implementations exist, including PHP loaders with obfuscation, scripts that segment cookie data, and those using single cookie values to trigger actions.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]