China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3]

ID: S0020
Type: MALWARE
Platforms: Windows
Version: 2.0

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force China Chopper's server component can perform brute force password guessing against authentication portals.[3]
Enterprise T1059 Command-Line Interface China Chopper's server component is capable of opening a command terminal.[4][1][5]
Enterprise T1005 Data from Local System China Chopper's server component can upload local files.[3][1][5]
Enterprise T1083 File and Directory Discovery China Chopper's server component can list directory contents.[3]
Enterprise T1046 Network Service Scanning China Chopper's server component can spider authentication portals.[3]
Enterprise T1105 Remote File Copy China Chopper's server component can download remote files.[3][1][5]
Enterprise T1064 Scripting China Chopper's server component is a text based payload available in a variety of scripting languages. [1]
Enterprise T1045 Software Packing China Chopper's client component is packed with UPX.[1]
Enterprise T1071 Standard Application Layer Protocol China Chopper's server component executes code sent via HTTP POST commands.[3]
Enterprise T1099 Timestomp China Chopper's server component can change the timestamp of files.[3][1][5]
Enterprise T1100 Web Shell China Chopper's server component is a Web Shell payload.[1]

Groups

Groups that use this software:

Leviathan
Soft Cell
Threat Group-3390

References