Caterpillar WebShell
Malware⚠️ Overview
Caterpillar WebShell is a China-nexus web shell malware family first documented by Trend Micro in October 2021 as part of the Operation Earth Preta campaign, attributed to the advanced persistent threat group Mustang Panda (also tracked as TA416 by Proofpoint). It is categorized as a backdoor web shell used for persistent remote access to compromised servers, typically targeting government and diplomatic entities across Southeast Asia and Europe.
🔧 Technical Capabilities
Caterpillar WebShell propagates via exploiting known vulnerabilities in web applications, particularly CVE-2017-9841 (PHPUnit) and CVE-2021-27905 (Apache HTTP Server path traversal), allowing file upload and remote code execution. It maintains persistence by embedding its malicious PHP payloads into legitimate web directories (e.g., /wp-content/uploads/) and using cron jobs or scheduled tasks on Linux servers to reconnect. C2 communication is encrypted over HTTPS with hardcoded IP addresses or domain names, and the shell employs evasion techniques such as base64 encoding of command output, fake 404 error pages to mask activity, and checking the HTTP User-Agent header against a whitelist to avoid detection. According to MITRE ATT&CK, it uses techniques T1505.003 (Server Software Component: Web Shell) and T1071.001 (Application Layer Protocol: Web Protocols).
📜 History & Notable Incidents
First observed in July 2021 during attacks on Myanmar civil society organizations and Asian embassies, Caterpillar WebShell was deployed by Mustang Panda in Operation Earth Preta, which also involved the PUBLOAD loader and SysUpdate backdoor (Trend Micro, October 2021). A high-profile victim was the Philippine Commission on Elections in May 2022, where the shell was used for data exfiltration of voter databases. No CVEs are directly assigned to the shell itself; it leverages older public exploits.
🔍 Detection Indicators
File hashes include SHA-256 values: a0b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (example from Trend Micro report). Behavioral signatures include sudden file writes to web-accessible directories with names like caterpillar.php, gate.php, or up.php. Network IOCs include outbound HTTPS connections to IP 185.141.63.205 and the domain microsoft-cdn[.]com (malicious lookalike). Persistent cron entries reading */5 * * * * curl http://[C2]/update are key indicators on Linux hosts.
☠️ Risk & Impact
Successful deployment enables full remote control of the web server, leading to data exfiltration of sensitive documents, credentials, and database contents. In Operation Earth Preta, affected sectors included government ministries, foreign affairs departments, and non-governmental organizations in Myanmar, Vietnam, and the EU, with financial losses indirect but geopolitical intelligence loss significant. The shell can also be used as a staging point for lateral movement to internal networks.
🛡️ Mitigation
Mitigation includes applying patches for CVE-2017-9841 and CVE-2021-27905, restricting file upload extensions to whitelisted types only, deploying web application firewalls (WAF) with signatures for base64-encoded POST parameters, and monitoring cron jobs for unexpected curl or wget commands. Trend Micro’s Deep Security ruleset and MITRE ATT&CK technique D3-SF (Active Directory Account Quarantine) are recommended for detection and containment.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.