Back to Blog
22 Mar 2021

Web shell attacks are on the rise

Around a year ago, Microsoft reported an increase in web shell attacks being executed by attackers globally. But according to new data by Microsoft’s 365 Defender Team, the trend has continued, and accelerated. Between August 2020 and January 2021, the team registered an average of 140,000 encounters on servers – this is double the 77,000 monthly average reported last year.

What are web shell attacks? 

To keep it simple, a web shell is a malicious piece of code or a script that runs on a server with the end goal for this is to enable remote control in order to execute commands. Once successful, attackers can exfiltrate data, run backdoor commands and exploit businesses. And as a result, security systems can be compromised, and sensitive data such as credentials and user information can be violated.

Web shells have become a staple for attackers, and that’s because they are particularly simple to implement. Attackers leverage the security gaps of businesses and use it to their advantage, mainly in web applications, in internet-facing servers.

The most common types of web shells are:

  • China Chopper
  • WSO
  • C99
  • B374K

DDoS Attacks

As well as using this type of attack for remote access, attackers can take it that one step further to integrate servers into a botnet. This means web shells are used as a means to gain access, put into a botnet and then used to launch Distributed Denial of Service (DDoS) attacks.


How does it work?

Attackers typically install web shells on servers by identifying security gaps in applications and internet-facing servers. This could be vulnerabilities around SQL injection, remote file inclusion, FTP or cross-site scripting which can be part of a social engineering attack. This would allow the attackers to upload a malicious script to the server.

They’re also hard to detect, it can be long before your business detects one, and it’s almost compared to finding a needle in a haystack. The main challenges with detecting web shell attacks are around languages, context, intent and non-executable file formats.


Web shells can be made from multiple programming languages. And in each language, there are numerous commands and several methods for attacker input. Attackers can even hide instructions within the user agent string and parameters which get passed during a web server or client exchange.


Detecting web shells by analysing context can be challenging, and that’s because the context isn’t visible until the shell is used by the attacker. Once the attacker does interact with the shell, the context starts to become known.

Another challenge in detecting web shells is identifying intent. Depending on in the intent of the attack, a harmless looking script can actually be malicious. When attackers upload arbitrary input files into the web directory, they can upload a full-featured web shell designed to allow arbitrary code execution.

The file-upload shells often go unnoticed because they’re unable to execute attackers commands on their own. So instead they can only upload files like full-featured web shells onto web servers. This is what makes them hard to detect, making it a very common option for attackers to use during early stages of exploitation.

Non-executable file formats

It’s also quite common for attackers to hide web shells in non-executive file formats, like media files. Detection is difficult due to web servers being configured to executive server-side code. Attackers can hide web shell scripts within a photo, and then upload it to a web servers. The photo is technically deemed harmless when analysed on a workstation, but when a web browser insists a server for the file, malicious code executes server side.


Protecting your business from web shell attacks

Endpoint Detection and Response (EDR)

The simple answer is an effective and responsive EDR solution. It’s time to call it quits with your traditional anti-virus solution. To keep up with the modern threat landscape and the evolving threat vectors, traditional anti-virus will no longer be effective, and it certainly isn’t strong enough to stop attackers from bypassing it.

Instead, consider investing into an EDR solution like Securyx – an enhanced endpoint security service that provides protection, resilience and business continuity. Unlike traditional anti-virus products, Securyx works to detect and respond, therefore focusing on the prevention before it becomes an issue.

Because of the way web shells are built, static analysis isn’t effective, and it’s pretty easy for attackers to modify web shells and bypass static protections. That’s why you need multiple layers of protections to detect and fight against such threats.

 If you’re looking to find out more on web shell attacks, or you’re simply looking to find out how you can improve your cyber security, contact us today!


By OryxAlign