Catching the 'Ghost Gateway': GFSHELL Polymorphic Evasion
Source: Dev.to
Overview
During a routine security audit of a production environment with over 1,000 servers, Companion Sentinel identified an active GFSHELL (Gateway Framework Shell) infection that had evaded detection by several major security vendors. The malware employed sophisticated polymorphic evasion techniques to bypass three industry‑standard scanners.
Malware Components
The infection consisted of two distinct PHP files:
- Shell Generator –
check.php - Polymorphic Gateway –
gateway.php
check.php – Probe Script
The attacker first deployed a “Probe” script to fingerprint the server’s security configuration. The script performed the following checks:
- Audited the
disable_functionsdirective inphp.ini. - Verified the availability of high‑risk execution sinks (
proc_open,shell_exec,system). - Tested whether
getallheaders()was functional to enable silent, out‑of‑band communication.
gateway.php – Polymorphic Backdoor
After gathering environment data, the generator built a custom 15‑line backdoor. Instead of relying on standard GET/POST parameters, it listened for a custom HTTP header: authorization-bearer. Execution was performed via In‑Call Comment Injection, a technique designed to break heuristic regex signatures.
The comment blocks (/**auth**/ and /**array**/) interrupt the literal string shell_exec( that many static scanners look for, allowing the code to bypass signature‑based detection while remaining valid PHP.
Evasion Technique
Traditional security tools often search for patterns such as:
shell_exec\s*\(By inserting a comment between the function name and the opening parenthesis, the attacker broke the continuity of the string. To a PHP interpreter the comment is ignored, but to a naïve scanner it appears as an unrecognized token, effectively evading detection.
Detection Method – Recursive Heuristic Scanner
Companion Sentinel’s polymorphic_web sensor uses a recursive heuristic scanner that specifically looks for an injected comment block between an execution function and its opening parenthesis.
Why it works
- Zero false positives – Legitimate code rarely injects comments inside a function call.
- By targeting the malware DNA (the evasion pattern itself) rather than a specific file name or hash, the backdoor is identified instantly.
Behavioral Feed – Secondary Confirmation
Companion Sentinel’s XDR engine correlated multiple behavioral indicators:
| Indicator | Description |
|---|---|
shell_history_wipe | Detected an attempt to run history -c to erase the audit trail. |
crontab_persistence | Caught an unauthorized modification of /etc/crontab for persistence. |
react2shell_rce | Verified that the web runtime (Node.js/PHP) tried to spawn an abnormal child process (Bash). |
These signals provided corroborating evidence of the intrusion beyond the syntactic anomaly.
Conclusion
The GFSHELL incident demonstrates that modern infrastructure requires more than perimeter defenses; it needs high‑fidelity auditing that can detect both behavioral and syntactic anomalies. Companion Sentinel neutralized the threat by identifying the evasion technique rather than blocking a known file, resulting in a system that is now 99 % verified and protecting production assets globally.