Full Report
Initial access leverages IIS apps configured with reused/public machineKey (ValidationKey/DecryptionKey) values, enabling __VIEWSTATE deserialization to run arbitrary commands. Following foothold, REF3927 deploys Godzilla-family webshells (e.g., 1.aspx) and GotoHTTP for GUI ac...
Analysis Summary
# Tool/Technique: REF3927 IIS Exploitation & Post-Exploitation Suite
## Overview
This attack pattern describes a specific methodology used by threat group **REF3927** to compromise web servers. The technique focuses on exploiting misconfigured Microsoft IIS (Internet Information Services) applications that use hardcoded or publicly known `machineKey` values. Once a foothold is established via deserialization, the actor deploys specialized webshells and remote access tools to maintain persistence and facilitate GUI-based interaction.
## Technical Details
- **Type**: Exploitation Technique & Malware Variant Suite
- **Platform**: Windows (IIS Web Servers)
- **Capabilities**: Remote Code Execution (RCE), File Management, GUI Access, Credential Dumping.
- **First Seen**: Recent campaigns identified in 2023/2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1203 - Exploitation for Client Execution
- **TA0003 - Persistence**
- T1505.003 - Server Software Component: Web Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0009 - Collection**
- T1113 - Screen Capture
## Functionality
### Core Capabilities
- **VIEWSTATE Deserialization**: Exploiting the `__VIEWSTATE` parameter using leaked or default `validationKey` and `decryptionKey` attributes to execute arbitrary code in the context of the IIS AppPool.
- **Godzilla Webshell**: A sophisticated ASPX shell utilized for file manipulation, database management, and executing secondary payloads.
- **GotoHTTP**: A legitimate cross-platform remote control tool used by the actor to bypass traditional RDP monitoring and achieve GUI access.
### Advanced Features
- **Encryption**: Godzilla uses AES encryption for communication, making it difficult for Network Intrusion Detection Systems (NIDS) to inspect the traffic.
- **Reused Machine Keys**: Leveraging keys often found in public GitHub repositories or default templates (e.g., those found in specific legacy CMS or enterprise software builds).
## Indicators of Compromise
- **File Names**:
- `1.aspx` (Common Godzilla default name)
- `GotoHTTP.exe`
- **Network Indicators**:
- `www[.]gotohttp[.]com` (Legitimate domain used for C2)
- `124[.]223[.]99[.]224` (Example actor-controlled infrastructure - *defanged*)
- **Behavioral Indicators**:
- `w3wp.exe` sparking `cmd.exe` or `powershell.exe`.
- Excessive POST requests to a single `.aspx` file with high entropy (encrypted Godzilla traffic).
- Unexplained modifications to `web.config` files.
## Associated Threat Actors
- **REF3927** (Also tracked in relation to specific tactical clusters targeting Southeast Asia and global IIS instances).
## Detection Methods
- **Signature-based detection**:
- Scan for known `machineKey` values that are publicly archived (e.g., from CVE-2020-0688 research).
- YARA rules targeting the Godzilla webshell's unique AES decryption routine in ASPX files.
- **Behavioral detection**:
- Monitor `w3wp.exe` process lineage for suspicious child processes.
- Detect unauthorized installation of remote desktop software like GotoHTTP, AnyDesk, or ScreenConnect on web servers.
## Mitigation Strategies
- **Key Rotation**: Ensure `machineKey` values are unique, randomly generated, and not reused across different environments.
- **Patch Management**: Apply latest .NET Framework and IIS security updates to mitigate known deserialization vectors.
- **Principle of Least Privilege**: Run IIS Application Pools as low-privileged service accounts rather than LocalSystem.
- **Network Segmentation**: Restrict outbound internet access from web servers to prevent "phone-home" behavior from tools like GotoHTTP.
## Related Tools/Techniques
- **CVE-2020-0688**: A similar vulnerability in Microsoft Exchange involving static `machineKey` values.
- **Behinder/AntSword**: Other popular webshell frameworks similar to Godzilla.
- **YSoSerial.net**: A tool often used by attackers to generate the deserialization payloads for VIEWSTATE exploitation.