Picus Threat Library Is Updated for Godzilla Webshell Used by APTs Exploiting CVE-2021-44077

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Picus Labs has updated the Picus Threat Library with new attack methods for the Godzilla webshell used by APT (advanced persistent threat) actors exploiting CVE-2021-44077 unauthenticated remote code execution (RCE) vulnerability in Zoho ManageEngine ServiceDesk Plus, an IT help desk software with asset management.

Godzilla Webshell

US CISA (Cybersecurity and Infrastructure Security Agency) and the Federal Bureau of Investigation (FBI) issued a joint alert (AA21-336A)  on December 2, 2021,  highlighting ongoing malicious cyber activity by APT actors exploiting CVE-2021-44077 RCE vulnerability in Zoho ManageEngine ServiceDesk Plus versions 11305 and below. As also stated by Palo Alto Networks Unit 42 researchers in that blog post, although there is no publicly available proof of concept (PoC) exploit for this vulnerability, threat actors have figured out how to exploit unpatched versions of the software.

Following successful exploitation of CVE-2021-44077, the APT actors write the Godzilla webshell to disk for initial persistence and data exfiltration. As an open source webshell, Godzilla is publicly available for download on GitHub. Although it is developed for red team engagements, threat actors also use the Godzilla webshell in their attack campaigns since it provides more functionality than similar webshells, such as ChinaChopper. For example, it can avoid detection by leveraging AES encryption for its command and control (C2) traffic. JSP (Java Server Page), C#, PHP and ASP versions of Godzilla are available in its Github repository. In this attack campaign, the APT group used modified JSP versions of the webshell.

Attack Simulation

You can test your security controls against the Godzilla webshell using the Picus Continuous Security Validation Platform. Picus Labs advises you to simulate  Godzilla webshell attacks and determine the effectiveness of your security controls against this webshell. Picus Threat Library includes the following Godzilla webshell attacks used in the attack campaign of the APT actors exploiting the CVE-2021-44077 unauthenticated RCE vulnerability in Zoho ManageEngine ServiceDesk Plus.

Picus ID

Threat Name

415652

Godzilla JSP Based WebShell Upload to Web Server Variant-1

362452

Godzilla JSP Based WebShell Upload to Web Server Variant-2

Picus Labs also added the following threats used in the same campaign:

Picus ID

Threat Name

716603

Godzilla Malware Dropper .EXE File Download Variant-1

647927

Godzilla Malware Dropper .EXE File Download Variant-2

382034

NGLite Backdoor .EXE File Download Variant-5

369786

NGLite Backdoor .EXE File Download Variant-6

538948

KdcSponge Trojan .DLL File Download Variant-1

Verified Indicators of Compromise (IOCs)

Godzilla JSP Webshell

SHA-256: 068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324

SHA-1: 18e17923508f7859b154e1fd4ed48c23519756ce

MD5: 182c7aefcce4cec2aa65ea2518fbbb13

 

Godzilla JSP Webshell

SHA-256: 5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb

SHA-1: 92fe8e978d5d5e92bed4a00dc0efeeb5dd22367a

MD5: d5fb8672ddf488180f10d4d10da22ffe

 

NGLite Backdoor

SHA-256: 7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72

SHA-1: d56b0d300e16109b5057d4377ef6c12fce41e71e

MD5: eb1d1ffe82fe0b45b239211004c79c3d

 

NGLite Backdoor

SHA-256: 342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae

SHA-1: 531f96a53f3132c371ecf9d18b2e3922f6d44998

MD5: f87bc58e35d016df4415f14045d7f068

 

Godzilla Webshell Dropper

SHA-256: ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7

SHA-1: d2291a1e58d35642aeacfc20fb98e33f48dc6ddd

MD5: e7fb52c90fcc75f9b25e2d56d67a4209

 

Godzilla Webshell Dropper

SHA-256: 5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058

SHA-1: e5529e48e82636357fecc23802f86927a2af114e

MD5: 7ad20914b12a067cc22e96a3be06f67f

 

KdcSponge Trojan

SHA-256: e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c

SHA-1: 6287004d7d40d23809273abde38101a580906db8

MD5: b88f173337ab103181feb33681f0b297