JSPSpy and 'Filebroser': A Custom File Management Tool in Webshell Infrastructure

SUMMARY :

Researchers have identified a cluster of JSPSpy web shell servers featuring 'Filebroser', a modified version of the open-source File Browser project. The infrastructure spans multiple hosting providers in China and the United States, using both cloud services and traditional ISPs. JSPSpy, a Java-based web shell first observed in 2013, has been used by various threat actors, including the Lazarus Group. The servers typically host JSPSpy on port 80, with one instance on port 8888. Two servers also host the 'filebroser' login panel on port 8001. Detection strategies for JSPSpy include analyzing login page titles and HTTP response headers. The presence of 'filebroser' alongside JSPSpy raises questions about its purpose in attack operations.

OPENCTI LABELS :

remote access,web shell,infrastructure,detection,jspspy,file management,filebroser,http headers


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


JSPSpy and 'Filebroser': A Custom File Management Tool in Webshell Infrastructure