HC3 – TLP Clear Analyst Note: The Godzilla Webshell
November 12, 2024
Executive Summary
Godzilla webshell is a weapon used by cyber threat actors to execute commands, manipulate files, and engage in other harmful and malicious activity on victim systems as part of a larger cyberattack. It has been attributed to Chinese state threat actors with relatively high confidence, and has been used to target a number of industries, including the health sector. It is publicly available and therefore accessible for use by any number of bad actors, and should be treated as a serious threat. This article concludes with defense and mitigation recommendations, which we implore all healthcare organizations to review and action in accordance with their risk mitigation plan.
What is Godzilla?
Godzilla webshell is a Chinese-language backdoor created by an individual who goes by the online handle BeichenDream. BeichenDream claims Godzilla was created in response to existing webshells that are often detected in attacks; Godzilla avoids detection by using Advanced Encryption Standard encryption for its network traffic, which makes it more difficult to detect. Godzilla is considered highly capable and full of functionality. It facilitates file management and manipulation, including uploading, downloading, deleting, and modifying files on a victim system. It also allows the execution of files and commands—one of the primary functions of any webshell. It allows for reconaissance, such as the collection of details related to operating systems, network configurations, and versions of software and applications. It facilitates the maintenace of persistant access. As previously noted, it is capable of encryption. It also executes in memory, or “filelessly”, which also makes it challenging to detect. There are a number of reports that attribute Godzilla to the Chinese government. We recommend that this be understood as probable, but not certain. It is also worth noting that BeichenDream maintains Godzilla, including its code, on a publically accessible repository. This means it is relatively trivial for another threat actor—foreign government, cybercriminal gang or anyone else—to acquire, modify, and utilize the code in accordance with their unique purposes.
View the detailed report below.