Register to stream ATT&CKcon 2.0 October 29-30

China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3]

ID: S0020
Type: MALWARE
Platforms: Windows
Version: 2.0

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force China Chopper's server component can perform brute force password guessing against authentication portals. [3]
Enterprise T1059 Command-Line Interface China Chopper's server component is capable of opening a command terminal. [4] [1] [5]
Enterprise T1005 Data from Local System China Chopper's server component can upload local files. [3] [1] [5]
Enterprise T1083 File and Directory Discovery China Chopper's server component can list directory contents. [3]
Enterprise T1046 Network Service Scanning China Chopper's server component can spider authentication portals. [3]
Enterprise T1105 Remote File Copy China Chopper's server component can download remote files. [3] [1] [5]
Enterprise T1064 Scripting China Chopper's server component is a text based payload available in a variety of scripting languages. [1]
Enterprise T1045 Software Packing China Chopper's client component is packed with UPX. [1]
Enterprise T1071 Standard Application Layer Protocol China Chopper's server component executes code sent via HTTP POST commands. [3]
Enterprise T1099 Timestomp China Chopper's server component can change the timestamp of files. [3] [1] [5]
Enterprise T1100 Web Shell China Chopper's server component is a Web Shell payload. [1]

Groups That Use This Software

ID Name References
G0065 Leviathan [3]
G0027 Threat Group-3390 [2] [4] [6] [7]
G0093 Soft Cell [8]

References