Web Shells: China Chopper

China Chopper is a publicly available, well-documented web shell, in widespread use since 2012.

Web shells are malicious scripts which are uploaded to a target host after an initial compromise and grant an actor remote administrative capability.

Once this access is established, web shells can also be used to pivot to further hosts within a network.

In use

The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.

As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.

Capabilities

The China Chopper web shell has two main components: the China Chopper client, which is run by the attacker, and the China Chopper server, which is installed on the victim web server but is also attacker-controlled.

The web shell client can issue terminal commands and manage files on the victim server. Its MD5 hash is publicly availableFootnote 3.

Web Shell Client MD5 Hash
caidao.exe 5001ef50c7e869253a7c152a638eab8a
 

The web shell server is uploaded in plain text and can easily be changed by the attacker. This makes it is hard to define a specific hash that can identify adversary activity.

In summer 2018, threat actors were observed targeting public-facing web servers vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution. China Chopper was intended as the second-stage payload, delivered once servers had been compromised, allowing the attacker remote access to the victim host.

After successful exploitation of a vulnerability on the victim machine, the text-based China Chopper is placed on the victim web server. Once uploaded, the web shell server can be accessed by the attacker at any time, using the client application. Once successfully connected, the attacker proceeds to manipulate files and data on the web server.

Capabilities include uploading and downloading files to and from the victim, using the file-retrieval tool 'wget' to download files from the internet to the target, and editing, deleting, copying, renaming, and even changing the timestamp of existing files.

Detection and protection

The most powerful defence against a web shell is to avoid the web server being compromised in the first place. Ensure that all the software running on public facing web servers is up to date, with security patches applied. Audit custom applications for common web vulnerabilitiesFootnote 4.

One attribute of China Chopper is that every action generates an HTTP POST. This can be noisy and easily spotted if investigated by a network defender.

While the China Chopper web shell server upload is plain text, commands issued by the client are Base64 encoded, although this is easily decodable.

The adoption of Transport Layer Security (TLS) by web servers has resulted in web server traffic becoming encrypted, making detection of China Chopper activity using network-based tools more challenging.

The most effective way to detect and mitigate China Chopper is on the host itself (specifically on public-facing web servers). There are simple ways to search for the presence of the web shell using the command line on both Linux and Windows based operating systemsFootnote 5.

To detect web shells more broadly, network defenders should focus on spotting either suspicious process execution on web servers (for example PHP binaries spawning processes), or out of pattern outbound network connections from web servers. Typically, web servers make predictable connections to an internal network. Changes in those patterns may indicate the presence of a web shell. You can manage network permissions to prevent web-server processes from writing to directories where PHP can be executed, or from modifying existing files.

We also recommend that you use web access logs as a source of monitoring, for example through traffic analytics. Observing new unexpected pages or changes in traffic patterns can act as an early indicator.

Date modified: