Vitalii Gulenok/istock via Getty

HC3 warns healthcare of Godzilla web shell backdoor

Cyberthreat actors have used Godzilla web shell to execute commands, manipulate files and avoid detection.

The HHS Health Sector Cybersecurity Coordination Center warned the healthcare sector about Godzilla web shell, a backdoor that researchers believe Chinese state cyberthreat actors have used to stealthily access victims' systems and perpetrate cyberattacks.

The web shell is a pervasive threat because it was designed to avoid detection, HC3 noted. An individual known by the handle BeichenDream created the Chinese-language backdoor specifically to avoid detection after existing web shells failed to bypass threat detection.

Cyberthreat actors have been observed using Godzilla web shell to execute commands and manipulate files, further embedding themselves into victims' systems and carrying out larger cyberattacks.

"Godzilla avoids detection by using Advanced Encryption Standard encryption for its network traffic, which makes it more difficult to detect," HC3 stated in an analyst note. "Godzilla is considered highly capable and full of functionality."

Like other web shells, it allows cyberthreat actors to execute files and commands, and allows for reconnaissance, including gathering details about network configurations and operating systems.

"There are a number of reports that attribute Godzilla to the Chinese government. We recommend that this be understood as probable, but not certain," HC3 noted.

"It is also worth noting that BeichenDream maintains Godzilla, including its code, on a publicly accessible repository. This means it is relatively trivial for another threat actor -- foreign government, cybercriminal gang or anyone else -- to acquire, modify and utilize the code in accordance with their unique purposes."

Known attack campaigns using Godzilla web shell include a series of attacks in November 2021 that used a ManageEngine ADSelfService Plus vulnerability, and a February 2023 attack campaign carried out by advanced persistent threat Dalbit. In both cases, cyberthreat actors used Godzilla web shell to further their attacks against organizations in several sectors, including healthcare.

"Due to the high functionality and continuous development of Godzilla, it is not practical to attempt to compile a list of defense and mitigation steps to be implemented over any long period of time," HC3 stated.

Instead, HC3 recommended that healthcare organizations read about past Godzilla web shell campaigns through Cybersecurity and Infrastructure Security Agency reports, as well as defensive resources from the National Security Agency.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Next Steps

HHS has not adopted all GAO cybersecurity recommendations

Dig Deeper on Health data threats