ChinaChopper
ChinaChopper is a web shell used to execute commands on a victim machine through a compromised server. The provided content states it was present on compromised systems and was used to obtain and later launch the Quarian and PlugX backdoors. In one reported intrusion linked with medium to high confidence to the Chinese-speaking actor CloudComputating, attackers exploited Microsoft Exchange CVE-2020-0688, deployed a ChinaChopper web shell, and then installed Quarian and PlugX against government targets in the Middle East and Africa. Separate reporting in the content also notes ChinaChopper on compromised machines associated with activity assessed as highly likely linked to Emissary Panda (aka TG-3390, APT27, Bronze Union); in that case the observed ChinaChopper password was "123!@ZA". FireEye telemetry cited in the content lists ChinaChopper among the most frequently detected targeted malware globally in July-December 2014. High-confidence indicators directly mentioned in the content include the web shell password "123!@ZA" in the Emissary Panda-linked case.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. | the server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"ChinaChopper, a web shell which allows the attacker to execute commands on the victim’s machine."
"ChinaChopper, a web shell which allows the attacker to execute commands on the victim’s machine."
the server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...deployed following exploitation of the CVE-2020-0688 vulnerability... on a Microsoft Exchange server."
Persistence
1 technique"...was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors."
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Webshell used for post-compromise access and to stage/launch additional payloads (Quarian and PlugX in the described incident).
Web shell used for remote command execution on compromised web servers/systems; observed on machines compromised in activity attributed to Emissary Panda.
Web shell commonly used for post-compromise persistence and remote command execution on web servers; observed in targeted/APT detections.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.