Feds Warn Healthcare Sector About Stealthy Godzilla Webshell
The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) has warned the healthcare and public health (HPH) sector about a stealthy backdoor called the Godzilla webshell, which is being used by Chinese state-sponsored actors in offensive campaigns against critical infrastructure entities, including healthcare organizations.
The Godzilla webshell provides threat actors with persistent access to compromised networks and allows them to run commands, download additional files and tools, deliver and execute additional malware payloads, and modify, delete, and exfiltrate files. The webshell can also be used for reconnaissance, gathering information about the network, connected devices, installed applications, and software for use in later stages of an attack.
While the Godzilla webshell has been attributed to Chinese state-sponsored hackers, it is maintained by the developer in a publicly accessible repository and would be relatively trivial for threat actors โ nation state or criminal โ to obtain the webshell, and modify and utilize the code in their campaigns. There is concern that the tool will be adopted by ransomware groups for stealthy reconnaissance and data theft.
The Godzilla webshell was developed by an individual who uses the moniker BeichenDream as many webshells used by cyber actors were being detected. The Godzilla webshell solves that problem by executing in the memory and encrypting network traffic with Advanced Encryption Standard encryption. A threat actor would need to deliver the webshell, for instance by first exploiting an unpatched vulnerability, but once deployed, the compromise will be difficult to detect and the threat actor could move laterally and perform a range of actions undetected.
The Godzilla webshell has been used in multiple campaigns in combination with the exploitation of a vulnerability in Zoho’s ManageEngine ADSelfService Plus (CVE-2021-40539), and in February 2023, the M00nlight (APT Dalbit) threat actor used the Godzilla webshell in a multi-sector campaign on more than 50 targets, including pharmaceutical firms.ย The Godzilla webshell is considered a serious threat to the HPH sector and all healthcare organizations should take steps to harden their defenses by following the recommended mitigations detailed in the alert.