China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3]

ID: S0020
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

China Chopper's server component executes code sent via HTTP POST commands.[3]

Enterprise T1110 .001 Brute Force: Password Guessing

China Chopper's server component can perform brute force password guessing against authentication portals.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

China Chopper's server component is capable of opening a command terminal.[4][1][5]

Enterprise T1005 Data from Local System

China Chopper's server component can upload local files.[3][1][5]

Enterprise T1083 File and Directory Discovery

China Chopper's server component can list directory contents.[3]

Enterprise T1070 .006 Indicator Removal on Host: Timestomp

China Chopper's server component can change the timestamp of files.[3][1][5]

Enterprise T1105 Ingress Tool Transfer

China Chopper's server component can download remote files.[3][1][5]

Enterprise T1046 Network Service Scanning

China Chopper's server component can spider authentication portals.[3]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

China Chopper's client component is packed with UPX.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

China Chopper's server component is a Web Shell payload.[1]

Groups That Use This Software

ID Name References
G0065 Leviathan

[3]

G0027 Threat Group-3390

[2][4][6][7]

G0093 Soft Cell

[8]

G0096 APT41

[9]

References