Deobfuscation Webshell Backdoor
Recently, me and my team handled some defacement cases involving the web applications environment. So we started to analyze the web environment to know what’s going on in the system, but the most interesting thing we found is that there are too many webshell backdoors in there, and one of them uses some obsfucated method.
The deobsfucated webshell backdoor began by checking from all obsfucated code in the webshell source code . Going to the end of the webshell source code, I found the below piece of line of code.
Starting from the inside of the code we can obviously see that the inner variable is $gz, where by the variable was declared in the begging of the obfuscated code. The variable $gz has a value associated with it as shown below.
So I realized in function from base64_decode($gz) before, the $gz variable obfuscation code based on base64 encode, so I use CyberChef for decode the obfuscated $gz variable value.
You can see the result of decode $gz variable value is :
eval(“?>”.gzuncompress(gzuncompress(gzinflate(gzinflate(gzinflate(base64_decode(strrev($gzinflate))))))));
So the next step to deobfuscate web shell code is to repeat the same logic here used in variable $gz. The variable $gzinflate is replaced by the value of gzinflate and by looking at the code made you could tell it was making use of gzuncompress.
We use some online PHP decode https://www.unphp.net/ because this web shell is based on PHP programming language. So just input the eval function to the UnPHP decoder and then click the button Decode This PHP.
After that, we can see the result of the decode.
So finally we realized the obfuscated source code is the malicious uploader shell form by RevoLutioN Namesis.
This deobfuscated method can help you find some password web shells in source code if the web shell is obfuscated and passworded.
Another example, I found the webshell backdoor path, but the access to the webshell is passworded.
So I try to check the source code of the web shell but the source code is obfuscated.
We can use the UnPHP decode to deobfuscate the source code.
We can see the result but sadly the source code still obfuscate, so we need to deobfuscated again to see the real source code and maybe in the source code we can check the password for access the web shell.
Like before, we can check the eval function on the bottom line of code and it’s connected to $Cyber variable.
In eval function mentioned base64_decode for the $Cyber so the obfuscated method is base64. We can use CyberChef to decode variable $Cyber value.
As we see result of decode $Cyber variable value is :
eval(“?>”.gzuncompress(gzuncompress(gzinflate(gzinflate(gzinflate(base64_decode(strrev($Crime))))))));
So the next step to deobfuscate web shell code is to repeat the same logic in variable $Cyber. The variable $Crime is replaced by the value of crime and by looking at the code made you could tell it was making use of gzuncompress and then we can use UnPHP decode to deobsfucate it.
We can see the result of deobsfucate web shell. You can see the real source code of a web shell is webshell from F3RGUSO SH3LL.
In $Mypass variable value mentioned password of webshell are p@ssw4rd so we can try to input in password input webshell and then we can access the web shell backdoor.
So, typically, the threat actor employs an obsfucated method in their web shell backdoor to prevent the analyst from knowing the source code, so the analyst is unable to determine the function of the webshell or meaning of the threat actor is trying to accomplish. So the analyst must deobfuscate the web shell.
That’s all for now, Thank you and Stay Secure!
