Antak

Antak is a type of malware, specifically a webshell, that has been detected on SharePoint servers. The Antak webshell, as depicted in Figure 2, was loaded onto the server and used to upload additional tools for post-exploitation. In addition to Antak, several other webshells were also installed on the SharePoint server, indicating a multi-pronged cyber attack. The Antak webshell variant identified was 'error2.aspx', which was used to upload post-exploitation tools. The installation of another known malware, China Chopper, along with the uploading of Emissary Panda-related custom payloads to the Antak webshell, suggests a possible connection to the threat group that has previously used China Chopper to compromise servers. This group has routinely exploited vulnerable web servers of targeted organizations to install web shells, such as Antak and ASPXSPY, and has used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources. Both China Chopper-related webshells and the Antak webshell can be easily obtained from publicly accessible repositories, indicating a potential risk for widespread use by multiple groups. The specific variant of Antak found in this instance was version v0.5.0, an older version of the webshell that was updated in August 2015 to version v0.7.6 to include basic authentication functionality and the ability to perform SQL queries. It's plausible that the actors obtained Antak v0.5.0 from either the Nishang GitHub repository or SecWiki’s GitHub, both of which host the v0.5.0 version of Antak. The use of this older version may indicate either a lack of access to more recent versions or a strategic choice based on the specific vulnerabilities being exploited.