China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3]

ID: S0020
Type: MALWARE
Platforms: Windows
Version: 2.0

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

China Chopper's server component can perform brute force password guessing against authentication portals.[3]

Enterprise T1059 Command-Line Interface

China Chopper's server component is capable of opening a command terminal.[4][1][5]

Enterprise T1005 Data from Local System

China Chopper's server component can upload local files.[3][1][5]

Enterprise T1083 File and Directory Discovery

China Chopper's server component can list directory contents.[3]

Enterprise T1046 Network Service Scanning

China Chopper's server component can spider authentication portals.[3]

Enterprise T1105 Remote File Copy

China Chopper's server component can download remote files.[3][1][5]

Enterprise T1064 Scripting

China Chopper's server component is a text based payload available in a variety of scripting languages. [1]

Enterprise T1045 Software Packing

China Chopper's client component is packed with UPX.[1]

Enterprise T1071 Standard Application Layer Protocol

China Chopper's server component executes code sent via HTTP POST commands.[3]

Enterprise T1099 Timestomp

China Chopper's server component can change the timestamp of files.[3][1][5]

Enterprise T1100 Web Shell

China Chopper's server component is a Web Shell payload.[1]

Groups That Use This Software

ID Name References
G0065 Leviathan [3]
G0027 Threat Group-3390 [2] [4] [6] [7]
G0093 Soft Cell [8]
G0096 APT41 [9]

References