According to findings from the Microsoft Defender Security Research Team, threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to remotely execute code.
“Rather than exposing command execution through URL parameters or the request body, these web shells rely on cookie values provided by threat actors to gate execution, pass instructions, and activate malicious functionality,” the tech giant said.
This approach provides additional stealth by allowing the malicious code to remain dormant during normal application execution and only activate web shell logic when certain cookie values are present. Microsoft notes that this behavior also extends to web requests, scheduled tasks, and trusted background workers.
This malicious activity takes advantage of the fact that the cookie value is available through the $_COOKIE superglobal variable at runtime, allowing the attacker to consume the specified input without any additional parsing. Additionally, this technique is unlikely to raise any red flags, as the cookies are mixed in with normal web traffic, reducing visibility.
There are various implementations of cookie-controlled execution models.
A PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute encoded secondary payloads. A PHP script that segments structured cookie data to rebuild operational components such as file processing and decoding functions, and conditionally writes and executes secondary payloads to disk. A PHP script that uses a single cookie value as a marker to trigger a threat actor-controlled action, such as executing provided input or uploading a file.
In at least one case, threat actors have been found to use valid credentials or exploit known security vulnerabilities to gain initial access to a victim-hosted Linux environment and set up a cron job that periodically calls a shell routine that runs an obfuscated PHP loader.
This “self-healing” architecture allows scheduled tasks to repeatedly recreate the PHP loader even if it is removed as part of a cleanup or repair effort, creating a reliable and persistent remote code execution channel. Once the PHP loader is deployed, it remains inactive during normal traffic and starts working when it receives an HTTP request with a specific cookie value.
“By shifting execution control to cookies, the web shell remains hidden from normal traffic and is activated only during intentional interactions,” Microsoft added. “By separating persistence through cron-based re-creation from execution control through cookie-gate activation, the attackers reduced operational noise and limited the metrics observable in daily application logs.”
The common aspects that unite all the aforementioned implementations are obfuscation to hide sensitive functionality while leaving a minimal interactive footprint, and the use of cookie-based gates to initiate malicious actions.
To combat this threat, Microsoft recommends enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces. Monitor for unusual login activity. Restrict shell interpreter execution. Audit cron jobs and scheduled tasks across your web servers. Check for suspicious files in your web directory. Limits the hosting control panel’s shell functionality.
“The consistent use of cookies as a control mechanism suggests a reuse of established web shell tradecraft,” Microsoft said. “By moving control logic to cookies, attackers can gain persistent access post-compromise and bypass many traditional inspection and logging controls.”
“Rather than relying on complex exploit chains, the attackers leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and store their malicious code.”
Source link
