A nine-year-old web shell used for providing remote access to web servers for cyberattackers is staying very active despite its advanced age (in cyber-years, anyway). Researchers said they’ve spotted it being used in several recent campaigns – all with disparate goals.
The tool, known as China Chopper, allows attackers to retain access to an infected web server using a client-side application, according to Paul Rascagneres and Vanja Svajcer, researchers at Cisco Talos. The client contains all the logic required to control the target, which makes it very easy to use.
In campaigns stretching back over the course of two years, Cisco Talos observed Internet Information Services and Apache web servers compromised with China Chopper web shells. The initial injection of the code was likely carried out by exploiting known remote code execution or file inclusion vulnerabilities in older Oracle WebLogic or WordPress versions, according to the firm. Once established, the backdoor — which hasn’t been altered much since its inception nearly a decade ago — allows adversaries to execute various commands on the server, drop malware and more.
Under the Hood
China Chopper provides attackers with a simple GUI that allows them to configure servers to connect to and generate server-side code that must be added to the targeted website code in order to communicate, according to a Cisco Talos writeup on Tuesday. The backdoor supports .NET Active Server Pages or PHP.
The China Chopper client communicates with affected servers using HTTP POST requests. The only function of the server-side code is to evaluate the request parameter specified during the configuration of the server code in the client GUI, researchers said.
Apart from the terminal, China Chopper includes a file manager (with the ability to create directories, download files and change file metadata), a database manager and a rudimentary vulnerability scanner.
Three Compromises
Cisco Talos highlighted three specific campaigns, each with different goals, tools and techniques, and likely carried out by different actors.
One was an recent espionage campaign targeting an Asian government. “China Chopper was used in the internal network, installed on a few web servers used to store potentially confidential documents,” the researchers noted. “The purpose of the attacker was to obtain documents and database copies.”
China Chopper automatically compressed the documents using WinRAR, to create an archive protected with a strong password containing uppercase, lowercase and special characters. And, the attacker deployed additional tools to execute commands on the system, including a payload used to perform a database dump.
In terms of exfiltrating the file archives and the database dumps, the attacker simply mapped a local drive and copied the files to it, according to Cisco Talos, since the targeted server was in an internal network.
“The attacker must have access to the remote system in order to exfiltrate data,” the researchers said. “We already saw the usage of a HTTP tunnel tool to create a network tunnel between the infected system and a command-and-control (C2) server.”
In the second recent campaign, attackers targeted an organization in Lebanon. In that instance, an auxiliary public web site was compromised by several attackers for different purposes using China Chopper.
These included the deployment of ransomware (first Sodinokibi and then Gandcrab), and the dropping of a Monero cryptominer. The attackers also tried to get the local credentials stored in memory on the site using a PowerShell module, after which they tried to pivot internally by using the credentials and “net use” commands. And then, several remote-access tools such as Gh0stRAT and the Venom multi-hop proxy were deployed on the machine, as well as a remote shell written purely in PowerShell, according to the researchers.
And finally, Cisco Talos recently discovered an Asian web-hosting provider under attack in a campaign that used China Chopper to compromise several Windows servers over a period of 10 months. Once in, the adversaries carried out several activities.
“Generally, the attackers seek to create a new user and then add the user to the group of users with administrative privileges, presumably to access and modify other web applications hosted on a single physical server,” Rascagneres and Svajcer wrote. “When this wasn’t successful, they downloaded and installed an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite, as GetPassword.exe.”
The tool investigated the Local Security Authority Subsystem memory space in order to find, decrypt and display retrieved passwords; the attackers also dumped the database of the popular mobile game, Clash of Kings, possibly hosted on a private server.
The researchers also found another Monero cryptocurrency miner on a second compromised server. While adversaries tried to elevate privileges and modify the access control lists (ACLs) of all websites running on the affected server on another (likely to compromise other sites or run a web defacement campaign, according to Cisco Talos. They also tried to harvest credentials.
And on a fourth server, the attacker tried to elevate privileges to modify other objects on the server, add a new user account and add the account to the administrative group.
“The attacker next logs on to the server with a newly created user account and launches a free tool replacestudio32.exe, a GUI utility that easily searches through text-based files and performs replacement with another string,” the researchers said. “Once again, this could be used to affect all sites hosted on the server or simply deface pages.”
Clearly, China Chopper can be used in a wide swathe of campaign types – all it takes is a vulnerable website.
“Insecure web applications provide an effective entry point for attackers and allow them to install additional tools such as web shells, conduct reconnaissance and pivot to other systems,” the researchers said, adding that the tool is “so easy to use.” They added, “despite the age, China Chopper is here to stay, and we will likely see it in the wild going forward.”
As for attribution, the researchers added that while China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390, actors with varying skill levels seem to be using it.
“Even nine years after its creation, attackers are using China Chopper without significant modifications,” the researchers said. “This web shell is widely available, so almost any threat actor can use. This also means it’s nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator.”