Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/23/2021
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Inside the Web Shell Used in the Microsoft Exchange Server Attacks

The history and details of China Chopper - a Web shell commonly seen in the widespread Microsoft Exchange Server attacks.

China Chopper Web shells are an older threat causing new problems for many organizations targeted in ongoing attacks against vulnerable Microsoft Exchange Servers worldwide.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

Since Microsoft patched a series of Exchange Server zero-days on March 2, what had previously been "limited and targeted" attacks quickly became a global issue as attackers weaponized the critical flaws. Security companies tracking the activity, including FireEye and Red Canary, noticed China Chopper Web shells played a consistent role in their observed attack patterns.

Less than two weeks after the flaws were disclosed, the DHS' Cybersecurity and Infrastructure Security Agency (CISA) updated its guidance on the vulnerabilities to include seven China Chopper Web shells connected to successful attacks against vulnerable Exchange Servers. 

China Chopper is not a new piece of malware. Researchers with FireEye first published research on the threat in 2013; Cisco Talos experts have dated samples back to 2010. It's a fairly simple backdoor that allows criminals to remotely access a target network and gain remote control.

A Web shell typically has client-side and server-side parts. China Chopper has a command-and-control (C2) binary, and a text-based Web shell payload that acts as the server component. As FireEye researchers note in an early report on the threat, this text-based payload is so simple that an attacker could type it by hand on a target server without the need for a file transfer.

"[It] was notable at the time because it was much smaller than some of the other Web shells that were commonly used and it still had a full set of features," says Ben Read, director of cyber espionage analysis at Mandiant. "Because it was smaller and more succinctly written, it was at the time picked up by fewer antiviruses." 

There are several ways China Chopper may get onto a target network. Some attackers employ zero-days, as seen in the Exchange Server attacks, but more often they target old versions of software running on Web-facing servers. This often includes website administration software, VPN servers, or email, he notes.

From there, it's a small but powerful post-exploitation tool. Once on a target, China Chopper can be used to remotely execute operating system commands and conduct activities such as uploading and executing additional tools, pivoting to other systems, and exfiltrating data. It can check out where the server is, what it's connected to, and where to pivot within the network.

"It's less of a specific functionality that it has, than it enables full access to the machine and then the attacker can do what they want," Read explains. Web shells work best when they're on an Internet-facing server because the attacker can directly call out to it. A backdoor, in contrast, usually initiates a callout from the point on the corporate network where it resides. 

Web servers and Exchange Servers are appealing targets because, as he notes, they're less likely to run antivirus or endpoint detection and response (EDR) tools. "You should – it's a best practice, but it is not uncommon for there not to be one," Read adds. There's less of an arms race to avoid antivirus tools in Web shells because the tools aren't as frequently deployed.

China Chopper appeals to attackers because it's easy to use but difficult to detect, explains Aviad Hasnis, CTO of Cynet. Its lightweight nature helps attackers fly under the radar and avoid detection. 

"The back end of it, the command-and-control part, is very straightforward," he says. "It has a graphical interface [and] it supports different types of programming languages, whether the Web shell is in PHP or ASP or Jscript." The GUI allows the attacker to conduct activity with a point-and-click interface, as well as a command line screen.

A Global Attacker Favorite

China Chopper's stealth and simplicity has made it an attacker tool used around the world.

In its early days, the Web shell was heavily used by Chinese groups believed to operate in support of China's government. By now it's no longer unique to Chinese nation-state groups, yet while they do continue to use China Chopper, it's now traded among global attackers – both advanced and less-skilled actors use it. 

"We've seen [it] in recent activities utilizing infrastructure located on US soil, but still there are widespread targets from the Middle East, to the far East, to Western and Eastern Europe, and of course in the United States, it's a global operation," says Shiran Grinberg, CyOps manager at Cynet. There is no specific country or continent targeted with the China Chopper Web shell.

Cynet has observed several advanced groups using China Chopper including Calypso, APT27, APT41, SoftCell, Leviathan, BronzeButler, and Tonto Team, among others. Grinberg notes that there has been additional use of China Chopper that hasn't been connected to a specific group. Cynet's data indicates much of its activity is focused on the finance and energy sectors but isn't limited to those industries.

Its widespread nature makes China Chopper an ideal fit for the widespread Microsoft Exchange Server attacks. An attacker targeting thousands of machines will inevitably be caught; as a result, they don't want to use a capability that people don't know about or that they want to remain secret. There is a greater likelihood a common Web shell like China Chopper will be detected than a novel one; however, the attack group isn't wasting a hidden novel capability.

For all the years it has been in use, the China Chopper Web shell has remained largely unchanged, says Vanja Svajcer, threat researcher with Cisco Talos, who says it's not unusual for a Web shell to be in use for this amount of time. 

"There have been modifications of its client to make its use easier for attackers but very little has changed on the server side," he says. "The server simply receives executable code from the client component and this executable code is interpreted by the executing environment, PHP or .NET ASP." 

Most of the changes that have been made to China Chopper are intended to better conceal it, Read notes. While its functionality has remained the same, attackers may put wrappers around it or encode it to evade detection by security tools.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24613
PUBLISHED: 2021-09-20
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
CVE-2021-24618
PUBLISHED: 2021-09-20
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated us...
CVE-2021-24635
PUBLISHED: 2021-09-20
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, ...
CVE-2021-24636
PUBLISHED: 2021-09-20
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link
CVE-2021-24637
PUBLISHED: 2021-09-20
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gu...