FortiGuard Labs Uncovers Highly Obfuscated Web Shell “UpdateChecker.aspx” Targeting Middle East Critical Infrastructure

by · Published · Updated

The FortiGuard Labs team has published an in-depth analysis of a heavily obfuscated web shell that was used in an attack targeting critical infrastructure in the Middle East. The research focuses on a script named UpdateChecker.aspx, which operates on the Microsoft IIS platform. Written in C# as an ASPX page, the script conceals its true functionality behind layers of encoded and encrypted code. All method, variable, and class names were randomly generated and subsequently encoded in Unicode. Constants—including strings and numeric values—were either encrypted or encoded.

During the analysis, researchers successfully deobfuscated the code, converting the random identifiers into human-readable terms. The primary method, Page_Load, is triggered upon receiving a command from the attacker. Control of the shell is conducted via HTTP POST requests that must specify the application/octet-stream content type; otherwise, the request is rejected with an error page.

The body of the request is initially encoded in Base64 and then decrypted in successive stages. The first 16 bytes contain an encrypted key, which, once decoded, yields 15 bytes of actual key material and one padding byte. This key is then used to decrypt the remainder of the command data. The web shell’s response is also formatted in JSON, subsequently encrypted, and re-encoded in Base64 before being returned.

The script supports three core modules for system control. The Base module retrieves server information; the CommandShell module executes system commands within a specified working directory; and the FileManager module facilitates interaction with files and directories—including creation, copying, moving, and deletion, as well as metadata manipulation and listing of available drives and the root web directory.

To illustrate the shell’s functionality, Fortinet developed a Python script that simulates attacker behavior by issuing commands to the web shell and displaying the responses. This allowed researchers to showcase the full range of capabilities, including command execution, file operations, and information gathering from the compromised server.

The analysis of UpdateChecker.aspx unveiled the sophisticated architecture of the web shell and demonstrated how threat actors maintain covert and secure control over compromised systems. By encapsulating command-and-control logic within a JSON structure, the script streamlines the automation of instruction delivery and response handling.

Tags: