Home / malwarePDF  

Backdoor:ASP/Aspy.A


First posted on 15 February 2019.
Source: Microsoft

Aliases :

Backdoor:ASP/Aspy.A is also known as ASP/Agent.NAB.Gen trojan, Backdoor.ASP.Aspy, IIS/BackDoor-ASP, Backdoor.ASP.Rootkit.d, Backdoor.ASP.Akspy.c, ASP/BackDoor.gen, Troj/ASP-F.

Explanation :

Backdoor:ASP/Aspy.A is a backdoor trojan, written in ASP.Net, that allows unauthorized remote access and control of an affected computer or server.

Installation

Backdoor:ASP/Aspy.A may be present on a compromised host as a file with .ASP file extension and stored in a directory containing web pages to allow to a remote attacker via a web browser and Internet connection. The following file names are examples of the trojan as found in the wild:

action_refresh.aspx pw.aspx plugins.aspx legion.aspx;jpg cmd.aspx iskox.aspx css.aspx ASPXspy2.aspx

When the trojan page is accessed, it requests a logon to gain access to a control session. The default password for the trojan is 'admin'.

Payload

Allows unauthorized remote access and control
Once logged in, the trojan could provide the following functionality against a compromised computer or server:

File management - this includes download, upload, edit, copy, rename, delete files Directory management - this includes create, rename and delete directories Execute any command through cmd.exe Extract IIS user credentials List processes and services List detailed information of users and system configuration (includes domain, IP, OS version, CPU etc.) File search and replace Serv-U privilege escalation exploit list registry keys and values port scanner MSSQL and Microsoft Access database access TCP port redirection

Analysis by Shawn Wang

Last update 15 February 2019

 

TOP