Security Arsenal is tracking active targeting of the manufacturing sector, specifically the Indian branch of a global manufacturer, by a suspected China-linked threat actor. The attackers have deployed a previously undocumented malicious software dubbed TencShell. The intrusion leverages an open-source offensive toolkit to gain initial access, followed by the deployment of this custom backdoor.
For defenders in the manufacturing and industrial sectors, this signals a shift toward more tailored post-exploitation tools rather than generic web shells. The use of open-source toolkits lowers the barrier to entry for the initial foothold, while TencShell provides the persistence and command-and-control (C2) capabilities required for data exfiltration and lateral movement. Immediate action is required to identify open-source toolkit exploitation signatures and hunt for the TencShell payload.
Technical Analysis
- Affected Products & Platforms: While the specific software vulnerability exploited by the open-source toolkit was not disclosed in the initial reporting, the target profile (global manufacturer) and the "Shell" nomenclature suggest Linux-based web servers or network edge devices are the primary entry point.
- Threat Actor: Suspected China-nexus group, exhibiting traits consistent with focused espionage operations against supply chain and manufacturing entities.
- Malware: TencShell. This appears to be a custom backdoor or web shell variant designed to provide remote access.
- Attack Chain:
- Initial Access: Exploitation of a vulnerability using an open-source offensive toolkit (likely targeting public-facing web services or VPN interfaces).
- Execution: Deployment of TencShell on the compromised host.
- C2: Establishment of a reverse shell or callback to actor-controlled infrastructure.
- Exploitation Status: Confirmed active exploitation (ITW) against a live target in India. This is not a theoretical proof-of-concept.
Detection & Response
The following detection rules and hunt queries are designed to identify the behaviors associated with open-source toolkit exploitation and the specific deployment of the TencShell backdoor.
Sigma Rules
---
title: Potential TencShell Malware Execution
id: 8a4b2c19-6d3e-4f1a-9b5c-3e2a1b0c9d8f
status: experimental
description: Detects the execution of processes or scripts matching the naming convention of the TencShell backdoor reported in recent manufacturing sector attacks.
references:
- https://www.infosecurity-magazine.com/news/china-hackers-tencshell-malware/
author: Security Arsenal
date: 2024/05/21
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains:
- 'TencShell'
- 'tencshell'
CommandLine|contains:
- 'TencShell'
- 'tencshell'
condition: selection
falsepositives:
- Legitimate administrative scripts utilizing this exact string (unlikely)
level: critical
---
title: Linux Web Server Spawning System Shell
id: 9c5d3e20-7e4f-5g2a-0c6d-4f3b2c1d0e9a
status: experimental
description: Detects web server processes (apache, nginx) spawning bash or sh shells, a common behavior for open-source toolkit web shells and backdoors like TencShell.
references:
- https://www.infosecurity-magazine.com/news/china-hackers-tencshell-malware/
author: Security Arsenal
date: 2024/05/21
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/apache2'
- '/httpd'
- '/nginx'
- '/java' # Tomcat/Java web apps
Image|endswith:
- '/bash'
- '/sh'
- '/zsh'
condition: selection
falsepositives:
- Legitimate server administration scripts
- CGI script execution
level: high
KQL (Microsoft Sentinel / Defender)
The following KQL query hunts for process anomalies indicative of the open-source toolkit exploitation used to drop TencShell.
// Hunt for web server processes spawning shells on Linux (ingested via Syslog/CEF or DeviceEvents)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where initiatingProcessFileName in ("apache2", "httpd", "nginx", "java", "tomcat")
| where ProcessFileName in ("bash", "sh", "zsh", "python", "perl", "nc")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine
| extend TencShellIndicator = iff(ProcessCommandLine contains "TencShell" or ProcessCommandLine contains "tencshell", "Potential TencShell", "Suspicious Shell Spawn")
| order by Timestamp desc
Velociraptor VQL
This VQL artifact hunts for the presence of TencShell or suspicious modified files in common web directories.
-- Hunt for TencShell related files and recent modifications in web roots
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/*")
WHERE FullName =~ "TencShell"
OR Name =~ "tencshell"
-- Complementary hunt for recently created PHP/SH/JSP files in web roots (Generic Web Shell Hunt)
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/var/www/html/**/*.php")
WHERE Mtime > now() - 7d
OR Size < 5kb
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/var/www/html/**/*.sh")
WHERE Mtime > now() - 7d
Remediation Script (Bash)
This script assists in the identification and temporary containment of the TencShell threat on Linux endpoints. Note that full eradication requires forensic analysis to determine the initial access vector.
#!/bin/bash
# TencShell Response Script for Linux
# Usage: sudo ./check_tencshell.sh
echo "[*] Scanning for TencShell artifacts..."
# 1. Check for running processes with the name TencShell
if pgrep -i "tencshell"; then
echo "[!] ALERT: TencShell process detected. Killing process..."
pkill -9 -i "tencshell"
else
echo "[+] No TencShell processes currently running."
fi
# 2. Scan common web directories for suspicious files
WEB_DIRS=("/var/www/html" "/usr/local/nginx/html" "/opt/tomcat/webapps")
for dir in "${WEB_DIRS[@]}"; do
if [ -d "$dir" ]; then
echo "[*] Scanning $dir for recently modified files..."
# Find files modified in the last 7 days
find "$dir" -type f -mtime -7 -name "*.php" -o -name "*.jsp" -o -name "*.sh" | while read file; do
echo " [?] Suspicious recent file: $file"
# Optional: grep for specific TencShell strings if known
# strings "$file" | grep -i "tencshell" && echo " [!] MATCH FOUND IN $file"
done
fi
done
echo "[*] Checking for established outbound connections from non-standard shells..."
# List established connections from bash/sh that are not local
netstat -antp 2>/dev/null | grep ESTABLISHED | grep -E "(bash|sh|/usr/bin/python)" | awk '{print $5}' | cut -d: -f1 | sort -u
echo "[+] Scan complete. Review the output above for Indicators of Compromise."
echo "[!] Next Steps: Isolate affected host, rotate credentials, and review web server logs for exploit attempts."
Remediation
- Isolation: Immediately isolate any identified compromised hosts from the network to prevent lateral movement and data exfiltration.
- Patch and Update: Ensure all public-facing infrastructure (web servers, VPNs, CMS platforms) are fully patched. While the specific CVE is not yet disclosed, the use of an "open source offensive toolkit" strongly implies exploitation of a known, unpatched vulnerability.
- Credential Reset: Assume all credentials (service accounts, database credentials, and SSH keys) on the compromised host have been stolen. Force a password rotation and key regeneration.
- Web Shell Removal: Simply deleting the TencShell file is insufficient. Perform a full forensic image acquisition of the system before cleanup to identify persistence mechanisms (e.g., cron jobs, systemd services).
- Log Analysis: Review web server access logs (
access.log,error.log) for the time period preceding the malware discovery. Look for indicators of the open-source toolkit usage, such as unusual POST requests, encoded payloads, or enumeration attempts.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.