Full Report
2025-03-11 • Hunt.io • Hunt.io Open article on Malpedia
Analysis Summary
# Tool/Technique: JSPSpy and filebroser
## Overview
JSPSpy and 'filebroser' are components found within a webshell infrastructure, where JSPSpy appears to be the primary malicious payload or loader, and 'filebroser' functions as a custom file management tool facilitating interaction with the compromised environment.
## Technical Details
- Type: Webshell Infrastructure / File Management Tool
- Platform: Web Servers (likely PHP, ASP.NET, or similar server-side technologies based on context of webshells)
- Capabilities: File browsing, management, uploading, downloading, and command execution via the webshell interface.
- First Seen: The article context is dated 2025-03-11, but specific first-seen dates for these components are not available in the provided snippet.
## MITRE ATT&CK Mapping
*Based on the description of file management within a webshell infrastructure, the following mappings are highly probable:*
- T1189 - Drive-by Compromise (Initial access via exploited web application)
- T1560 - Archive Collected Data
- T1560.001 - Archive via Utility
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP/HTTPS for C2 communication)
- T1027 - Obfuscated Files or Information
- T1105 - Ingress Tool Transfer (Uploading 'filebroser' or subsequent tools)
## Functionality
### Core Capabilities
- **Remote File Management:** Allowing an external attacker to navigate and interact with the server's file system.
- **Data Staging:** Functionality to upload and download files, crucial for establishing persistence, exfiltrating data, or deploying secondary payloads.
- **Webshell Interaction:** Providing a user interface (likely web-based) to manage the ongoing compromise.
### Advanced Features
- **Custom Tool Integration:** The presence of 'filebroser' suggests a modular approach where the initial webshell (JSPSpy) may load or serve specialized tools for specific tasks, bypassing general-purpose webshell limitations. (Specific advanced features of JSPSpy itself are not detailed here, but webshells often include command execution.)
## Indicators of Compromise
*No specific IoCs (hashes, files, IPs) are provided in the summary context.*
- File Hashes: [Not Provided]
- File Names: JSPSpy, filebroser (or variants thereof)
- Registry Keys: [Not Applicable to the primary artifact, likely file-based on web server]
- Network Indicators: Communication channels related to the initial upload/download and subsequent command/control via HTTP/S to the compromised web path. (Defanged: N/A)
- Behavioral Indicators: Unusual file creation or modification occurring in web application directories, execution of server-side scripts with unexpected parameters.
## Associated Threat Actors
- [Hunt.io] (The organization that reported this specific infrastructure)
- General threat actors known to deploy sophisticated webshells for persistence and data access.
## Detection Methods
- Signature-based detection: Signatures targeting known file names or specific API calls associated with JSPSpy or filebroser components if the contents are known.
- Behavioral detection: Monitoring for unusual process execution from web server contexts, unexpected file system interaction in web roots, and large outbound data transfers initiated by web processes.
- YARA rules: Can be developed based on unique strings or code structure identified within the JSPSpy and filebroser files.
## Mitigation Strategies
- **Web Application Security:** Rigorous input validation and sanitization to prevent exploitation that leads to webshell implantation.
- **Least Privilege:** Ensuring the web server process runs with sufficient, but minimal, privileges, limiting filesystem modification and data access.
- **File Integrity Monitoring (FIM):** Monitoring critical web application directories for unauthorized file uploads or modifications corresponding to webshell components.
- **Network Traffic Analysis:** Monitoring outbound traffic from web servers for anomalies indicative of data exfiltration.
## Related Tools/Techniques
- Other advanced webshells (e.g., China Chopper, Weevely, WSO2 Web Shell)
- Generic Server Management Tools (if 'filebroser' mimics legitimate admin interfaces)