Skip to main content

Framework Architecture

This webshell framework consists of two primary components:
  1. Python C2 Interface - Client-side command and control scripts that communicate with deployed webshells
  2. ASP Webshells - Server-side scripts deployed on compromised IIS/ASP.NET servers

Command & Control Structure

The framework uses a Python-based interface to manage multiple compromised targets through an interactive shell. The C2 infrastructure includes:
  • Target Selection Menu - Multiple pre-configured targets with hardcoded URLs
  • Command Encoding - Custom character substitution cipher to obfuscate commands
  • HTTP-based Communication - Commands transmitted via HTTP headers
  • Interactive Shell - readline-based interface for operator interaction

Communication Protocol

Commands are transmitted through HTTP headers, specifically using the Accept-Language header to avoid detection: 
headers = {
"Accept-Captcha":"am=JgAAgP7jP38JwxmUgBgbuF8P_Nmlh2EEBhzhIQOBCEgGdAeWqYD_xNXr3UBFH35AAgACOJqOmhmdA2KVQwAEsGJYhhEAAAAAAAAAAA",
"Accept-Language" : "whoami",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
}
The Accept-Captcha header contains a static token, while Accept-Language carries the actual command payload.

Target Infrastructure

The framework was configured to target multiple organizations:

Target 1: uniforms.flydubai.com

TargetURL = "https://uniforms.flydubai.com/images/flash/test9/m0s.phto"
  • Webshell disguised as a photo file
  • Uses custom encoding for command obfuscation

Target 2: jordandesert.org.jo

TargetURL = "http://www.jordandesert.org.jo/CMS/Uploads/m0s.aspx"
  • Deployed in CMS upload directory
  • ASPX extension for IIS/ASP.NET compatibility

Target 3: 193.188.88.156

TargetURL = "http://193.188.88.156/images/m0s.php"
  • Direct IP access
  • PHP extension (likely misconfigured or different variant)

Webshell Variants

Three ASP webshell variants were identified:
FileEncodingComplexityPurpose
m0s.aspCustom decode functionHighPrimary webshell with obfuscation
webshell.aspNone (plaintext)LowBackup shell, direct command execution
file.aspNone (plaintext)LowSimple command execution shell

Operational Security

The framework demonstrates several OPSEC characteristics:
  • Custom encoding scheme to evade signature-based detection
  • HTTP header tunneling instead of POST data
  • Legitimate user-agent strings mimicking Chrome browser
  • 404 responses when no command is present (appears as broken page)
  • Hidden webshell placement in image/upload directories

Detection Indicators

Network Indicators

  • Unusual Accept-Language header values (encoded commands)
  • Static Accept-Captcha header: am=JgAAgP7jP38JwxmUgBgbuF8P_Nmlh2EEBhzhIQOBCEgGdAeWqYD_xNXr3UBFH35AAgACOJqOmhmdA2KVQwAEsGJYhhEAAAAAAAAAAA
  • GET requests to image/upload directories returning command output

Host Indicators

  • ASP files in unexpected locations (images/, flash/, Uploads/)
  • Files named m0s.* with various extensions
  • WScript.Shell object creation in ASP pages
  • cmd /c execution patterns

Next Steps

For detailed analysis:

Build docs developers (and LLMs) love

Get started for freeTalk to us