Aspxtool

ASPXTool is a type of malware, specifically a modified version of the ASPXSpy web shell. This malicious software is designed to infiltrate and exploit computer systems, often entering undetected through suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operations, or hold data hostage for ransom. The TG-3390 threat actors have been known to leverage existing ASPXTool web shells in their operations, typically opting to issue commands via an internally accessible web shell rather than using HttpBrowser or PlugX. The ASPXTool malware is particularly used to facilitate lateral movement within a network. It's deployed to internally accessible systems running Internet Information Services (IIS), which allows the adversaries to gain access to servers inside a target's network. This IIS-specific "Web shell" is one of the unique tools used by the TG-3390 group, demonstrating their sophisticated and targeted approach to cyber exploitation. In addition to ASPXTool, the TG-3390 group has also been noted for their use of the OwaAuth tool. This is another distinct piece of malware, serving as both a credential stealing tool and a Web shell. It's specifically designed to attack Microsoft Exchange servers running the Web Outlook interface. The combined use of these two tools - ASPXTool and OwaAuth - reflects the group's strategic approach to gaining and maintaining access within their targets' networks.