The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Picus Labs has updated the Picus Threat Library with new attack methods for the Godzilla webshell used by APT (advanced persistent threat) actors exploiting CVE-2021-44077 unauthenticated remote code execution (RCE) vulnerability in Zoho ManageEngine ServiceDesk Plus, an IT help desk software with asset management.
Godzilla Webshell
US CISA (Cybersecurity and Infrastructure Security Agency) and the Federal Bureau of Investigation (FBI) issued a joint alert (AA21-336A) on December 2, 2021, highlighting ongoing malicious cyber activity by APT actors exploiting CVE-2021-44077 RCE vulnerability in Zoho ManageEngine ServiceDesk Plus versions 11305 and below. As also stated by Palo Alto Networks Unit 42 researchers in that blog post, although there is no publicly available proof of concept (PoC) exploit for this vulnerability, threat actors have figured out how to exploit unpatched versions of the software.
Following successful exploitation of CVE-2021-44077, the APT actors write the Godzilla webshell to disk for initial persistence and data exfiltration. As an open source webshell, Godzilla is publicly available for download on GitHub. Although it is developed for red team engagements, threat actors also use the Godzilla webshell in their attack campaigns since it provides more functionality than similar webshells, such as ChinaChopper. For example, it can avoid detection by leveraging AES encryption for its command and control (C2) traffic. JSP (Java Server Page), C#, PHP and ASP versions of Godzilla are available in its Github repository. In this attack campaign, the APT group used modified JSP versions of the webshell.
Attack Simulation
You can test your security controls against the Godzilla webshell using the Picus Continuous Security Validation Platform. Picus Labs advises you to simulate Godzilla webshell attacks and determine the effectiveness of your security controls against this webshell. Picus Threat Library includes the following Godzilla webshell attacks used in the attack campaign of the APT actors exploiting the CVE-2021-44077 unauthenticated RCE vulnerability in Zoho ManageEngine ServiceDesk Plus.
Picus ID |
Threat Name |
415652 |
Godzilla JSP Based WebShell Upload to Web Server Variant-1 |
362452 |
Godzilla JSP Based WebShell Upload to Web Server Variant-2 |
Picus Labs also added the following threats used in the same campaign:
Picus ID |
Threat Name |
716603 |
Godzilla Malware Dropper .EXE File Download Variant-1 |
647927 |
Godzilla Malware Dropper .EXE File Download Variant-2 |
382034 |
NGLite Backdoor .EXE File Download Variant-5 |
369786 |
NGLite Backdoor .EXE File Download Variant-6 |
538948 |
KdcSponge Trojan .DLL File Download Variant-1 |
Verified Indicators of Compromise (IOCs)
Godzilla JSP Webshell
SHA-256: 068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324
SHA-1: 18e17923508f7859b154e1fd4ed48c23519756ce
MD5: 182c7aefcce4cec2aa65ea2518fbbb13
Godzilla JSP Webshell
SHA-256: 5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb
SHA-1: 92fe8e978d5d5e92bed4a00dc0efeeb5dd22367a
MD5: d5fb8672ddf488180f10d4d10da22ffe
NGLite Backdoor
SHA-256: 7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72
SHA-1: d56b0d300e16109b5057d4377ef6c12fce41e71e
MD5: eb1d1ffe82fe0b45b239211004c79c3d
NGLite Backdoor
SHA-256: 342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae
SHA-1: 531f96a53f3132c371ecf9d18b2e3922f6d44998
MD5: f87bc58e35d016df4415f14045d7f068
Godzilla Webshell Dropper
SHA-256: ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7
SHA-1: d2291a1e58d35642aeacfc20fb98e33f48dc6ddd
MD5: e7fb52c90fcc75f9b25e2d56d67a4209
Godzilla Webshell Dropper
SHA-256: 5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058
SHA-1: e5529e48e82636357fecc23802f86927a2af114e
MD5: 7ad20914b12a067cc22e96a3be06f67f
KdcSponge Trojan
SHA-256: e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c
SHA-1: 6287004d7d40d23809273abde38101a580906db8
MD5: b88f173337ab103181feb33681f0b297