The Iron Panda Malware JSP is likely being used to establish a persistent backdoor through web application components, allowing adversaries to exfiltrate data and maintain long-term access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement within their environment.
YARA Rule
rule IronPanda_Webshell_JSP
{
meta:
description = "Iron Panda Malware JSP"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
strings:
$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
condition:
filesize < 330KB and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate JSP File Upload via DevOps Pipeline
Description: A developer uploads a JSP file as part of a CI/CD pipeline to deploy a new feature or update.
Filter/Exclusion: file.name != "update.jsp" OR process.parent_process_name contains "jenkins" OR file.path contains "/devops/deploy/"
Scenario: Scheduled Job Generating Dynamic JSP Content
Description: A scheduled job (e.g., using cron or Windows Task Scheduler) generates dynamic JSP content for reporting or data aggregation.
Filter/Exclusion: process.name contains "scheduler" OR file.path contains "/scripts/scheduled_jobs/" OR process.parent_process_name contains "crond"
Scenario: Admin Task to Generate JSP Reports
Description: An administrator uses a tool like Apache JMeter or PowerShell to generate JSP-based reports for internal use.
Filter/Exclusion: process.name contains "jmeter" OR process.name contains "powershell" OR file.path contains "/reports/"
Scenario: Use of JSP for API Gateway or Proxy Configuration
Description: A JSP file is used as part of an API gateway or reverse proxy configuration (e.g., using Nginx or Apache Tomcat with JSP for dynamic routing).
Filter/Exclusion: file.path contains "/config/proxy/" OR process.name contains "nginx" OR process.name contains "tomcat"
Scenario: Malicious JSP File Uploaded by a Legitimate User
Description: A user uploads a JSP file (e.g., for a custom web application) that is benign but matches the signature of the Iron Panda malware.
Filter/Exclusion: `file.md5 !=