Hafnium’s China Chopper: a ‘slick’ and tiny web shell for creating server backdoors
Researchers have provided insight into China Chopper, a web shell used by the state-sponsored Hafnium hacking group.
Hafnium is a group of cyberattackers originating from China. The collective recently came into the spotlight due to Microsoft linking them to recent attacks exploiting four zero-day vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — in Microsoft Exchange Server.
Microsoft says that Hafnium tends to strike targets in the United States, focusing on industries including defense, research, law, and higher education. While believed to be based in China, the group uses leased virtual private servers (VPS) in the US.
Due to the renewed interest in Hafnium, on Monday, Trustwave published an analysis of one of the group’s tools, China Chopper, which is a web shell widely used for post-exploitation activities.
The web shell has been detected in Exchange Server-related attacks alongside DearCry ransomware deployment.
China Chopper is not new and has been in the wild for at least a decade. The tiny web shell — coming in at only four kilobytes (.PDF) — contains two key components; a web shell command-and-control (C2) client binary and a text-based web shell payload, the server component.
“The text-based payload is so simple and short that an attacker could type it by hand right on the target server — no file transfer needed,” the team notes.
FireEye calls the tool a “slick little web shell that does not get enough exposure and credit for its stealth.”
There are different variants of China Chopper in the wild that are written in different languages — such as ASP, ASPX, PHP, JSP, and CFM — but they all have similar functions. The Active Server Page Extended (ASPX) variety, once it lands on a server already compromised via an exploit, for example, is typically no more than one line of code.
Red Canary notes that the .aspx web shell names are generally made up of eight random characters.
Upon examination of a China Chopper sample, Trustwave describes how when an HTTP POST request is made, the script calls the “eval” function to execute the string inside a POST request variable.
“The POST request variable is named “secret,” meaning any JScript contained in the “secret” variable will be executed on the server,” the researchers say. “JScript is implemented as an active scripting engine allowing the language to use ActiveX objects on the client it is running on. This can be and is abused by attackers to achieve reverse shells, file management, process execution, and much more.”
A client component of China Chopper is usually hosted on an attacker’s system to facilitate communication, which can be used for tasks such as running a virtual terminal to launch commands based on cmd.exe, downloading files, and executing other malicious scripts.
The researchers also noted corresponding .NET DLLs to China Chopper generated by ASP.NET runtime on compromised servers.
Red Canary has also identified a cluster of Microsoft Exchange Server attacks building from the use of this backdoor. Dubbed “Sapphire Pigeon,” multiple web shells are being dropped on compromised servers at different times — and in some cases, days before post-exploit activities begin.
Last week, Check Point Research said the rate of attacks leveraging the vulnerabilities was doubling every two to three hours.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0