China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3]

ID: S0020
Type: MALWARE
Platforms: Windows

Version: 2.0

Techniques Used

DomainIDNameUse
EnterpriseT1110Brute ForceChina Chopper's server component can perform brute force password guessing against authentication portals.[3]
EnterpriseT1059Command-Line InterfaceChina Chopper's server component is capable of opening a command terminal.[4][1][5]
EnterpriseT1005Data from Local SystemChina Chopper's server component can upload local files.[3][1][5]
EnterpriseT1083File and Directory DiscoveryChina Chopper's server component can list directory contents.[3]
EnterpriseT1046Network Service ScanningChina Chopper's server component can spider authentication portals.[3]
EnterpriseT1105Remote File CopyChina Chopper's server component can download remote files.[3][1][5]
EnterpriseT1064ScriptingChina Chopper's server component is a text based payload available in a variety of scripting languages. [1]
EnterpriseT1045Software PackingChina Chopper's client component is packed with UPX.[1]
EnterpriseT1071Standard Application Layer ProtocolChina Chopper's server component executes code sent via HTTP POST commands.[3]
EnterpriseT1099TimestompChina Chopper's server component can change the timestamp of files.[3][1][5]
EnterpriseT1100Web ShellChina Chopper's server component is a Web Shell payload.[1]

Groups

Groups that use this software:

Leviathan
Threat Group-3390

References