The article below is an analysis and follow-up to the analysis titled ‘Intrusion into Middle East Critical National Infrastructure’ (full report here), conducted by the FortiGuard Incident Response Team (FGIR)[1], which investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East.
The Fortinet report revealed that threat actors had installed numerous web shell servers on the compromised system. In this follow-up, analysts conducted a deep analysis of one of these web shell servers, named UpdateChecker.aspx, which was deployed on the Microsoft IIS (Internet Information Services) server of the compromised system.
[1] https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
Link to full report: IR-25-209-002_ShellScript.pdf
Comments