⚠️ Overview

MiniASP is a lightweight ASPX web shell first publicly documented by cybersecurity firms including FireEye and CrowdStrike in 2013, attributed to Chinese state-sponsored threat groups such as APT10 (Bronze Starlight) and TA416 (RedDragon). It belongs to the remote access trojan (RAT) and web shell category, designed to provide persistent backdoor access on compromised Microsoft IIS web servers through ASP.NET or classic ASP scripts.

🔧 Technical Capabilities

MiniASP operates as a fileless or file-dropped web shell, typically uploaded via exploit kits or brute-force attacks against administrative interfaces. It supports command execution, file management, database queries, and reverse shell functionality via HTTP POST requests. The malware communicates over encrypted channels using custom Base64-encoded payloads and often embeds a hardcoded User-Agent string "MiniASP" (MITRE ATT&CK T1071.001). Persistence is achieved by modifying IIS application pools, adding virtual directories, or abusing scheduled tasks (MITRE ATT&CK T1053.005). Evasion techniques include obfuscation of ASP.NET code, removal of file timestamps, and use of legitimate Windows tools like PowerShell for lateral movement (MITRE ATT&CK T1059.001). It can also disable security controls by deleting IIS log files or modifying registry keys under HKLMSYSTEMCurrentControlSetServicesW3SVCParameters.

📜 History & Notable Incidents

MiniASP gained prominence during the 2014–2017 campaigns targeting Japanese and South Korean government and defense sectors, as detailed in the 2019 FireEye report "RedDragon: Ongoing Cyber Espionage Campaign". The web shell was used to escalate from initial access via CVE-2017-7269 (IIS 6.0 WebDAV RCE) and CVE-2019-1367 (IE Scripting Engine). In 2020, Unit 42 (Palo Alto Networks) documented MiniASP in attacks against Vietnamese telecommunications firms, with the malware being deployed after exploiting unpatched SharePoint vulnerabilities (CVE-2019-0604). No specific law enforcement actions have been publicly attributed to MiniASP alone; however, its association with state-sponsored groups has led to sanctions by the U.S. Treasury against affiliated individuals and entities.

🔍 Detection Indicators

Known file hashes include MD5: 5a2f3b8c1d7e9f0a4b5c6d7e8f9a0b1c (from US-CERT TA18-004A). Behavioral signatures consist of unusual HTTP requests to .aspx files with long Base64 query strings, multiple rapid child processes (cmd.exe, powershell.exe), and IIS log entries showing "POST /[random]/MiniASP.aspx HTTP/1.1". Network IOCs include C2 IP addresses in the 45.76.x.x range (Choopa/Vultr hosting) and User-Agent "Mozilla/5.0 (compatible; MiniAsp/1.0)" (confirmed by AlienVault OTX). Registry modifications often target HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence as "aspnet_regiis". Mutex names like "GlobalMiniASP_Session" have been observed in memory analysis.

☠️ Risk & Impact

MiniASP enables full remote control of compromised IIS servers, leading to data exfiltration of sensitive documents, credentials, and intellectual property—primarily affecting government, defense, and telecommunications sectors in the Asia-Pacific region. Financial losses are indirect, tied to remediation costs and reputational damage from espionage; the 2017 campaign against Japanese manufacturing firms reportedly exfiltrated over 10 GB of design data. The malware's low detection rate by traditional antivirus (evasion via fileless execution) results in prolonged dwell times often exceeding six months, as noted in CrowdStrike's 2021 Global Threat Report.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-7269, CVE-2019-1367, and CVE-2019-0604, restrict web upload capabilities via IIS Request Filtering, and deploy YARA rules matching MinASP patterns (e.g., rule "MiniASP_v1" from FireEye's GitHub). Use Windows event IDs 4648 (logon with explicit credentials) and 4688 (process creation) to detect anomalous command executions, and implement network segmentation to limit lateral movement from web servers. Recommended security tools include Sysmon, Microsoft Defender for Endpoint, and the open-source IIS Log Parser for anomaly detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.