Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

SECURITY ALERT: China Chopper Malware targeting vulnerable SharePoint Servers

    • 更新於:
    • 15 May 2019
    • 產品/版本:
    • 作業系統:

Trend Micro is aware of a campaign that is targeting several unpatched versions of Microsoft SharePoint Server in order to try and deploy the China Chopper web shell.

It is believed that the campaign is leveraging CVE-2019-0604, a vulnerability originally discovered and disclosed to Microsoft by Markus Wulftange (@mwulftange) working with Trend Micro's Zero Day Initiative, in order to deploy the web shell by exploiting the vulnerability to allow a successful attacker to run arbitrary code in the context of the SharePoint application pool and server farm account.

Microsoft released updates and security guidance for vulnerable versions of SharePoint in February and March of 2019, however, many servers remain unpatched.


Vulnerable Versions of Microsoft SharePoint

The following unpatched versions of Microsoft SharePoint are vulnerable:

  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 SP1
  • Microsoft SharePoint Server 2010 SP2

Mitigation and Protection

The first line of protection against any exploited vulnerability to ensure the affected systems are patched with Microsoft's latest security update. In addition, any SharePoint servers that are designated for corporate intranet or internal use should be sufficiently isolated from the outside Internet.

Trend Micro Detection and Protection

In addition to applying Microsoft's Security Update, Trend Micro provides additional rules and filters to compliment the patch or to help mitigate some risk before affected servers are patched.

Trend Micro Deep Security  

  • Rule 1009535 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604)
  • Rule 1007170 - Identified Suspicious China Chopper Webshell Communication

Trend Micro TippingPoint ThreatDV

  • Filter 33692: Microsoft SharePoint EntityInstanceEncoder Insecure Deserialization Vulnerability
  • Filter 34152: HTTP: China Chopper PHP Webshell Traffic Detected (My Script RunInBrowser Control Command)
  • Filter 34153: HTTP: China Chopper PHP Webshell Traffic Detected (Control Commands)
  • Filter 34154: HTTP: China Chopper ASP Webshell Traffic Detected (Control Commands)
  • Filter 34257: HTTP: China Chopper ASPX Webshell Traffic Detected (Control Commands) 

Trend Micro Deep Discovery Inspector (DDI)

  • Rule 2063: CHOPPER - HTTP (Request)

Trend Micro Malware Detection

  • Official Pattern Release 15.111.00: contains detection for some known IOCs as Backdoor.ASP.CHOPSHELL.A and a client component executable as BKDR_CHOPPER.B.



Trend Micro will continue to monitor this threat and will provide updates as necessary.


Remove a Malware / Virus




若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.