Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: China Chopper Malware targeting vulnerable SharePoint Servers

    • Updated:
    • 15 May 2019
    • Product/Version:
    • Platform:
Summary

Trend Micro is aware of a campaign that is targeting several unpatched versions of Microsoft SharePoint Server in order to try and deploy the China Chopper web shell.

It is believed that the campaign is leveraging CVE-2019-0604, a vulnerability originally discovered and disclosed to Microsoft by Markus Wulftange (@mwulftange) working with Trend Micro's Zero Day Initiative, in order to deploy the web shell by exploiting the vulnerability to allow a successful attacker to run arbitrary code in the context of the SharePoint application pool and server farm account.

Microsoft released updates and security guidance for vulnerable versions of SharePoint in February and March of 2019, however, many servers remain unpatched.

Details
Public

Vulnerable Versions of Microsoft SharePoint


The following unpatched versions of Microsoft SharePoint are vulnerable:


  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 SP1
  • Microsoft SharePoint Server 2010 SP2


Mitigation and Protection


The first line of protection against any exploited vulnerability to ensure the affected systems are patched with Microsoft's latest security update. In addition, any SharePoint servers that are designated for corporate intranet or internal use should be sufficiently isolated from the outside Internet.


Trend Micro Detection and Protection


In addition to applying Microsoft's Security Update, Trend Micro provides additional rules and filters to compliment the patch or to help mitigate some risk before affected servers are patched.


Trend Micro Deep Security  


  • Rule 1009535 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604)
  • Rule 1007170 - Identified Suspicious China Chopper Webshell Communication


Trend Micro TippingPoint ThreatDV


  • Filter 33692: Microsoft SharePoint EntityInstanceEncoder Insecure Deserialization Vulnerability
  • Filter 34152: HTTP: China Chopper PHP Webshell Traffic Detected (My Script RunInBrowser Control Command)
  • Filter 34153: HTTP: China Chopper PHP Webshell Traffic Detected (Control Commands)
  • Filter 34154: HTTP: China Chopper ASP Webshell Traffic Detected (Control Commands)
  • Filter 34257: HTTP: China Chopper ASPX Webshell Traffic Detected (Control Commands) 


Trend Micro Deep Discovery Inspector (DDI)


  • Rule 2063: CHOPPER - HTTP (Request)


Trend Micro Malware Detection


  • Official Pattern Release 15.111.00: contains detection for some known IOCs as Backdoor.ASP.CHOPSHELL.A and a client component executable as BKDR_CHOPPER.B.



References


 

Trend Micro will continue to monitor this threat and will provide updates as necessary.

 

Premium
Test Now
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000131747
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.