The newly discovered Chinese nation-state actor known as Volt Typhoon has been active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.
A closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell that’s camouflaged as the legitimate identity security solution to sidestep detection.
The web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity, indicative of extensive prior recon of the target network.
The trojanized version of tomcat websocket.jar is fitted with three new Java classes named A, B, and C with A class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.
๐ Feeling the vibes?
Keep the good energy going by checking out my Amazon affiliate link for some cool finds! ๐๏ธ
If not, consider contributing to my caffeine supply at Buy Me a Coffee โ๏ธ.
Your clicks = cosmic support for more awesome content! ๐๐
Leave a Reply