China Chopper
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
China Chopper's server component executes code sent via HTTP POST commands.(Citation: FireEye Periscope March 2018) |
Enterprise | T1110 | .001 | Brute Force: Password Guessing |
China Chopper's server component can perform brute force password guessing against authentication portals.(Citation: FireEye Periscope March 2018) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
China Chopper's server component is capable of opening a command terminal.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools) |
Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
China Chopper's server component can change the timestamp of files.(Citation: FireEye Periscope March 2018)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
China Chopper's client component is packed with UPX.(Citation: Lee 2013) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
China Chopper's server component is a Web Shell payload.(Citation: Lee 2013) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0093 | GALLIUM |
(Citation: Microsoft GALLIUM December 2019) (Citation: Cybereason Soft Cell June 2019) |
G0135 | BackdoorDiplomacy |
(Citation: ESET BackdoorDiplomacy Jun 2021) |
G0117 | Fox Kitten |
(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
G0027 | Threat Group-3390 |
(Citation: Dell TG-3390) (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Nccgroup Emissary Panda May 2018) (Citation: Unit42 Emissary Panda May 2019) |
G0096 | APT41 |
(Citation: apt41_dcsocytec_dec2022) (Citation: FireEye APT41 Aug 2019) |
G1022 | ToddyCat |
(Citation: Kaspersky ToddyCat June 2022) |
G0125 | HAFNIUM |
(Citation: FireEye Exchange Zero Days March 2021) (Citation: Rapid7 HAFNIUM Mar 2021) (Citation: Volexity Exchange Marauder March 2021) |
G0065 | Leviathan |
(Citation: FireEye Periscope March 2018) (Citation: CISA AA21-200A APT40 July 2021) (Citation: Accenture MUDCARP March 2019) |
References
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.
- Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
- Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.