Malware: P.A.S. Webshell

Description

[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)

External References

• mitre-attack
• ANSSI Sandworm January 2021
• NCCIC AR-17-20045 February 2017

Techniques Used by This Malware

• T1005 — Data from Local System
• T1027 — Obfuscated Files or Information
• T1046 — Network Service Discovery
• T1059 — Command and Scripting Interpreter
• T1070.004 — File Deletion
• T1071.001 — Web Protocols
• T1083 — File and Directory Discovery
• T1087.001 — Local Account
• T1105 — Ingress Tool Transfer
• T1110.001 — Password Guessing
• T1140 — Deobfuscate/Decode Files or Information
• T1213 — Data from Information Repositories
• T1222.002 — Linux and Mac File and Directory Permissions Modification
• T1505.003 — Web Shell
• T1518 — Software Discovery

APT Groups Using This Malware

• Sandworm Team
• Ember Bear