A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k.
After all, if these popular (and readily available) PHP web shells do the job, there’s no need to code an entirely new tool. Instead of completely writing a new PHP shell, attackers are simply masking or cloaking the pre-existing code by using a variety of different obfuscation techniques to avoid detection.
And while this happens all the time with popular PHP web shells, during an investigation we came across a new — and perhaps more unusual — variation of a rather interesting PHP web shell.
P.A.S. v. x web shell — the history
The P.A.S. PHP web shell has a sordid and confusing history due to inaccurate information, but it originally emerged back in 2013 when the author “Profexer” announced on a Russian forum that their new beta web shell was available for others to try out.
The forum thread’s title was PAS (php web-shell) but the shell’s code refers to it as P.A.S., so we can speculate that it’s likely an acronym relating to PHP Web Shell. For example, the popular web shell WSO is an acronym for Web Shell by Orb.
To further emphasize the point that attackers aren’t very interested in “reinventing the PHP shell,” here is the very first reply to the forum thread:
Auto-translated by Google Chrome from its original Russian
This PHP shell seemed to have flown under the radar until late ..
Support the originator by clicking the read the rest link below.
