The China Chopper backdoor remains relevant, active, and effective even nine years after it was detected for the first time.
Over the past two years, several cybercriminals have used China Chopper as part of their malware campaigns, a Cisco Talos research group said in a blog post.The code is a web shell known as China Chopper. China Chopper allows attackers to remotely access servers running web applications.
According to the researchers, this shell is quite difficult to detect.
Despite the secrecy of the web shell, over the past few years it has been repeatedly seen in various malicious campaigns. In most cases, such public attention leads to the cessation of attacks by criminals, however, operators began to use it more often over the past two years.
“In our research, we discovered both Internet Information Services (IIS) and Apache web servers compromised with China Chopper web shells. We do not have additional data about how the web shell was installed, but there are several web application frameworks such as older versions of Oracle WebLogic or WordPress that may have been targeted with known remote code execution or file inclusion exploits”, — report Cisco Talos specialists.
On its blog, Cisco Talos talked about three campaigns that used China Chopper.
The first aimed at a government organization in Asia with the goal of stealing documents and bases’ copies. To do this, a China Chopper backdoor was installed on several servers.
Read also: MyDoom worm is already 15 years old, but it is still active
In the second case, the organization in Lebanon was subjected to a number of cyber ttacks, including with the use of the extortion software Sodinokibi and GandCrab. For data mining were used remote access, the Gh0stRAT and Venom tools.
The third campaign aimed at an Asian hosting provider. The attack on Windows servers lasted for 10 months.
According to experts, the web shell is widely available and can be used by any criminal. Thus, it is almost impossible to connect attacks with a specific group, relying solely on the presence of China Chopper.
Protective measures:
“The usage of China Chopper in recent campaigns proves that a lot of old threats never really die, and defenders on the internet need to be looking out for malware both young and old”, — warn Cisco Talos specialists.
When securing the infrastructure it is important to keep internal as well as external facing web servers, applications, and frameworks up to date with the latest security patches to mitigate risk of compromise with already known exploits.
Despite the age, China Chopper is here to stay, and we will likely see it in the wild going forward.