According to cybersecurity company Akamai, since October 17, 2023, hackers have been exploiting long-standing security vulnerabilities in ThinkPHP applications (such as CVE-2018-20062 and CVE-2019-9082) to deploy a web shell named Dama.
Akamai researchers Ron Mankivsky and Maxim Zavodchik stated: “The vulnerability attempts to retrieve more obfuscated code from another infected ThinkPHP server to gain an initial foothold. After successfully exploiting the system, the attackers will install a Chinese web shell named Dama to maintain persistent access to the server.”
The web shell is equipped with various advanced features, enabling it to collect system data, upload files, scan network ports, escalate privileges, and browse the file system. The latter allows threat actors to perform file editing, deletion, and timestamp modification to achieve obfuscation.