We cannot determine why this code snippet had been embedded in | 🇮🇷 Bax 026 Of Iran 🇮🇷

We cannot determine why this code snippet had been embedded into the WebShell, and whether it was provided to Lebanese Cedar APT by ITSecTeam or obtained unknowingly. “ Mamad Warning Sheller ” WebShell During a response to a recent Incident, ClearSky researchers detected an ASPX file called ‘Pars.aspx’. An in-depth analysis of the file revealed that it is a WebShell developed by a hacker dubbed ‘Mamad Warning’. The WebShell name provides a basis for our assumption that the hacker is a member of the Iranian hacktivist group ‘Persian Hacker’ or ‘Iranian Hacker’, also dubbed ‘Pars’. This hacker has been actively defacing Middle East websites, often government owned. In September 2020, the United States Justice Department Indicted two hackers that are part of the group, for defacing websites world-wide with pro-Iranian messages, such as promoting Ghasem Soleimani’s photo. The first hacker is Mrb3hz4d from Iran, and the second is Mrwn007, allegedly a stateless national of the Palestinian Authority. Mamad himself was not indicted by the Justice Department, and we do not know if his origin is Iran, the Palestinian Authority or Lebanon. Unlike the other two hackers, Mamad is still active in ‘Iranian Hackers’, which also goes by the handle ‘Bax 026’5. The WebShell features three key modules: • BindShell – The module is almost identical to the ‘Shell Connection’ module of the “Caterpillar” WebShell, which had been reviewed in detail above. • Replicate – The module enables an attacker to create a new folder within the WebShell.