ASP/Chopper.A!tr

description-logoAnalysis

ASP/Chopper.A!tr is a generic detection for a trojan.
This malware has been associated with the following Hafnium article/advisory:

  • https://fndn.fortinet.net/FortiGuard-Alert-Outbreaks/Hafnium-Fabric-View/

  • The correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.
    • MD5: 5544ba9ad1b56101b5d52b5270421d4a
      Sha256: 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
    • MD5: f8c6d90f1249c0b26f110dae3fe0fae6
      Sha256: 883b886be927b4ea92892674641db5654f4b08b916b2ce97ee82ad2757d1e592

  • A quick view of this ASP code indicates the following:
    • The malware is a small code of eval call for a certain Request.Form "error" along with a parameter string "unSAfE".
      This is possibly used to indicate that the compromised host contains some third party security currently installed.

  • recommended-action-logoRecommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    FortiClient
    FortiAPS
    FortiAPU
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2021-09-07 88.00941
    2021-06-08 86.00766
    2021-05-02 85.00889
    2021-03-29 85.00066
    2021-03-15 84.00736
    2021-03-12 84.00657
    2021-03-11 84.00641
    2021-03-10 84.00616
    2021-03-08 84.00568