Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. China Chopper

China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. [1] It has been used by several threat groups. [2] [3]

ID: S0020
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

China Chopper's server component executes code sent via HTTP POST commands.[3]
Enterprise T1110 .001 Brute Force: Password Guessing

China Chopper's server component can perform brute force password guessing against authentication portals.[3]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

China Chopper's server component is capable of opening a command terminal.[4][1][5]
Enterprise T1005 Data from Local System

China Chopper's server component can upload local files.[3][1][5]
Enterprise T1083 File and Directory Discovery

China Chopper's server component can list directory contents.[3]
Enterprise T1070 .006 Indicator Removal on Host: Timestomp

China Chopper's server component can change the timestamp of files.[3][1][5]
Enterprise T1105 Ingress Tool Transfer

China Chopper's server component can download remote files.[3][1][5]
Enterprise T1046 Network Service Scanning

China Chopper's server component can spider authentication portals.[3]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

China Chopper's client component is packed with UPX.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

China Chopper's server component is a Web Shell payload.[1]

Groups That Use This Software

ID Name References
G0065 Leviathan

[3]
G0027 Threat Group-3390

[2][4][6][7]
G0093 Soft Cell

[8]
G0096 APT41

[9]

References

  1. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  2. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  5. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  1. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  2. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  3. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  4. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.