‘China Chopper’ web shell makes a comeback in Lebanon, other Asian countries

Malicious code first discovered nine years ago that has historically been used by groups associated with Chinese state-backed hacks has made a comeback, according to new research from Cisco’s Security and Intelligence Research Group, Talos.

The hacking tool is a web shell known as China Chopper. A web shell is a script that allows attackers to remotely access servers running web applications. This particular exploit is known for often being impervious to detection.

“China Chopper is a slick little web shell that does not get enough exposure and credit for its stealth,” FireEye researchers wrote in 2013 in their blog on the matter.

China Chopper’s code as historically been small, according to security researcher Keith Tyler, who wrote about the tool in 2012. That much appears to be the same now — Talos researchers note the most recent campaign has been “extremely simple,” containing just one line of code.

Despite the web shell’s stealth, its use has been exposed multiple times over the past several years. Although this public attention in some cases causes threat actors to regroup or stop their attacks, China Chopper has proliferated and the number of threat actors using it has possibly expanded over the last two years, Talos researchers found.

Each of the three most active campaigns identified by Talos employed different tools, techniques and goals, leading the researchers to believe different actors may be behind each one.

In a case affecting Lebanon and an Asian web-hosting provider, the attackers used the password-stealing tool Mimikatz to gain credentials. In at least two of the campaigns Talos details, attackers tried to execute a Monero cryptocurrency miner on a vulnerable server, and in the other successfully launched a mining payload.

• One campaign targeted an Asian government organization in order to steal documents and database copies by installing China Chopper on a few web servers.
• In a second campaign that appears to have multiple different actors, multiple different kinds of ransomware, including Sodinokibi and GandCrab, were used to target an organization in Lebanon. The attacks in this case were also successful in stealing some credentials in local memory and running remote access tools such as Gh0stRAT and Venom.
• A third campaign in the last two years targeted an Asian web-hosting provider and managed a 10-month long compromise of Windows servers. In this case, Talos assesses the goal was likely website defacement following the compromise, a tactic that can sometimes be used to issue a message, for instance political messages, to the host of the site or those that visit it.

Tricky attribution

Many researchers have linked previous China Chopper attacks with Chinese hackers, but Talos does not go so far as to attribute the latest campaigns.

Cybereason researchers noted that last year China Chopper was being used in an “advanced persistent attack” against telecommunications providers that used tools and techniques associated with Chinese threat actors, such as APT10.

Actors backed by states that have been linked with the Chinese, such as cyber-espionage group Leviathan or Threat Group-3390, have also used China Chopper. According to MITRE, Leviathan has overlap with what FireEye researchers have found on APT40, a threat group FireEye suspects plays a part in China’s efforts to modernize its naval capabilities. SecureWorks assessed in 2015 that Threat Group-3390, which has also used China Chopper and typically targets defense and government organizations, is backed by China.

Attribution of China Chopper generally, however, is not straightforward, according to Talos.

“This web shell is widely available, so almost any threat actor can use. This also means it’s nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator,” Talos researchers write. “Because it is so easy to use, it’s impossible to confidently connect it to any particular actor or group.”

This time around, there are forensic details, including the specific RAR command line in these attacks, that give Talos some reason to believe the actors may actually be different from before, Talos researchers note.