Trustwave researchers have analyzed China Chopper, a web shell used by the state-sponsored Hafnium hacking group, and called it a “slick little web shell that does not get enough exposure and credit for its stealth.”
Trustwave published their analysis today, on March 15.
China Chopper is one of the tools used by Hafnium, a group of cyberattackers originating from China that recently came into the spotlight in recent attacks exploiting four zero-day vulnerabilities in Microsoft’s Exchange Server — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Besides Hadfnium, TEMP.Periscope/Leviathan, APT41/Double Dragon, and Bronze Union advanced persistent threat (APT) groups have used this popular web shell in the past for post-exploitation activities.
China Chopper is not new and has been in the wild for at least a decade.
It contains two components, a web shell command-and-control (C2) client and a text-based web shell payload. It is very small, weighing only four kilobytes (.PDF).
“The text-based payload is so simple and short that an attacker could type it by hand right on the target server — no file transfer needed,” Trustwave notes.
There are different variants of China Chopper written in different languages – ASP, ASPX, PHP, JSP, and CFM. The Active Server Page Extended (ASPX) variety is typically no more than one line of code.
In its analysis of China Chopper, Trustwave describes how the malware uses ActiveX objects on the client it is running on to achieve reverse shells, file management, process execution, and much more.
“The POST request variable is named “secret,” meaning any JScript contained in the “secret” variable will be executed on the server,” the researchers say. “JScript is implemented as an active scripting engine allowing the language to use ActiveX objects on the client it is running on. This can be and is abused by attackers to achieve reverse shells, file management, process execution, and much more.”
A client component of China Chopper is usually hosted on an attacker’s system and facilitates communication. It is used for tasks such as running a virtual terminal to launch commands based on cmd.exe, downloading files, and executing other scripts.
Last week, Check Point Research said the number of attacks abusing the vulnerabilities in Exchange Server was doubling every two to three hours with at least 10 APTs exploiting them and at least 82,000 servers remaining unpatched.