TridentShell: An enhanced covert and scalable backdoor injection attack on web applications

Abstract

Web backdoor attack is an increasingly prevalent network attack that can result in substantial losses for webmasters. During a cyber-attack, system vulnerabilities and web application flaws are usually used to implant a web shell inside victim servers. To mitigate these threats posed by web shells, research has focused on static feature detection, which has been evolved rapidly in recent years. However, static feature detection has inherent limitations and security risks. In this paper, we present TridentShell, a novel web backdoor attack that can inject an invisible backdoor into a victim server without leaving any traces of the attack. Furthermore, TridentShell can circumvent almost all static detection methods. Unlike existing approaches, which leverage traditional encryption and obfuscation technologies to avoid detection, our proposed attack is intended to blend into the web application server naturally. In this work, we introduce enhancements to the original TridentShell, which is not traceable – in theory – since it uses a blockchain-based decentralized C&C server with better presentation capability. The experimental results show that our TridentShell can effectively compromise five different types of Java application servers (covering around 87% Java application servers in the market), and can scrub any attack traces from the server, making it especially difficult to detect.