SECURITY ALERT: China Chopper Malware targeting vulnerable SharePoint Servers

Product / Version includes:

Last updated: 2021/08/28

Solution ID: KA-0009302

Category: Remove a Malware / Virus

Summary

Trend Micro is aware of a campaign that is targeting several unpatched versions of Microsoft SharePoint Server in order to try and deploy the China Chopper web shell.

It is believed that the campaign is leveraging CVE-2019-0604, a vulnerability originally discovered and disclosed to Microsoft by Markus Wulftange (@mwulftange) working with Trend Micro's Zero Day Initiative, in order to deploy the web shell by exploiting the vulnerability to allow a successful attacker to run arbitrary code in the context of the SharePoint application pool and server farm account.

Microsoft released updates and security guidance for vulnerable versions of SharePoint in February and March of 2019, however, many servers remain unpatched.

Vulnerable Versions of Microsoft SharePoint

The following unpatched versions of Microsoft SharePoint are vulnerable:

Microsoft SharePoint Server 2019
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 SP1
Microsoft SharePoint Server 2010 SP2

Mitigation and Protection

The first line of protection against any exploited vulnerability to ensure the affected systems are patched with Microsoft's latest security update. In addition, any SharePoint servers that are designated for corporate intranet or internal use should be sufficiently isolated from the outside Internet.

Trend Micro Detection and Protection

In addition to applying Microsoft's Security Update, Trend Micro provides additional rules and filters to compliment the patch or to help mitigate some risk before affected servers are patched.

Trend Micro Deep Security

Rule 1009535 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604)
Rule 1007170 - Identified Suspicious China Chopper Webshell Communication

Trend Micro TippingPoint ThreatDV

Filter 33692: Microsoft SharePoint EntityInstanceEncoder Insecure Deserialization Vulnerability
Filter 34152: HTTP: China Chopper PHP Webshell Traffic Detected (My Script RunInBrowser Control Command)
Filter 34153: HTTP: China Chopper PHP Webshell Traffic Detected (Control Commands)
Filter 34154: HTTP: China Chopper ASP Webshell Traffic Detected (Control Commands)
Filter 34257: HTTP: China Chopper ASPX Webshell Traffic Detected (Control Commands)

Trend Micro Deep Discovery Inspector (DDI)

Rule 2063: CHOPPER - HTTP (Request)

Trend Micro Malware Detection

Official Pattern Release 15.111.00: contains detection for some known IOCs as Backdoor.ASP.CHOPSHELL.A and a client component executable as BKDR_CHOPPER.B.

References

Trend Micro Zero Day Initiative (ZDI) Blog Article: https://www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
Trend Micro Malware Report: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Backdoor.ASP.CHOPSHELL.A
Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604
MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0604
Canadian Centre for Cyber Security Alert AL19-006: https://cyber.gc.ca/en/alerts/china-chopper-malware-affecting-sharepoint-servers

Trend Micro will continue to monitor this threat and will provide updates as necessary.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: China Chopper Malware targeting vulnerable SharePoint Servers

SECURITY ALERT: China Chopper Malware targeting vulnerable SharePoint Servers

Product / Version includes:

Summary