Threat Signal Report

US-CERT (CISA) Current Activity Alert - Observed China Chopper Webshells in Post-Compromised Exchange Servers

description-logo Description

Today, on March 25th, The United States Cybersecurity and Infrastructure Security Agency (CISA) published their latest alert titled: "Webshells Observed in Post-Compromised Exchange Servers", which is related to this month's Microsoft Exchange zero-day vulnerability that affected CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

These malware analysis reports contain detailed technical analysis on the China Chopper Webshell. Two Malware Analysis Reports (MAR) were released and they are:

(AR21-084A) MAR-10329496-1.v1: China Chopper Webshell

(AR21-084B) MAR-10329499-1.v1: China Chopper Webshell

These two updates are related to the original alert issued by US-CERT on March 3rd. For further information on this initial alert, along with links and detailed information and specific guidance related to the Microsoft Exchange Server Vulnerability, please refer to our Threat Signal located here.

What is China Chopper?

First observed in 2012, China Chopper is a lightweight webshell that allows backdoor access to a vulnerable system, post compromise. The webshell contains unique features like a file explorer, a DB client, and a reverse shell. Interestingly enough, especially considering its small size, it has a security scan feature that allows it to guess authentications of various web portals, and if that wasn't enough - to get in via brute force.

China Chopper is portable and can run on both Linux and Windows platforms, running JSP, ASP/X, and PHP or CFM. China Chopper has been attributed to APT41 in past attacks. Notable past campaigns associated with China Chopper are listed below.

June 19, 2020

AusCERT Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks.

September 16, 2020

US-CERT Alert (AA20-258A) Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity MSS activity targeting CVE-2020-5902 - F5 Big-IP Vulnerability, CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances, CVE-2019-11510: Pulse Secure VPN Servers and CVE-2020-0688: Microsoft Exchange Server.

USDOJ Seven International Cyber Defendants, including "Apt41" Actors, Charged in Connection with Computer Intrusion Campaigns Against More Than 100 Victims Globally

All links to FortiGuard Threat Signals for associated APT41 related activity can be found in the APPENDIX.

Who is APT41?

APT41 also known as BARIUM has been in operation since 2011. It has been linked to supply chain compromises and for hacking into popular software vendors. Well known software titles with significant installation bases were compromised with malware. The modus operandi of this group was to compromise developer workstations that had access to source code repositories and then install backdoors and other malware into legitimate software. The intrusions also facilitated the installation of ransomware and crypto jacking schemes, where victim computer resources were used to mine cryptocurrency. This group is also linked to the use of PlugX/Fast/Korplug/ and Winnti/Pasteboy and Shadowpad malware, with the Korplug and Winnti being prominent malware families since 2012. To maintain persistence, the group has been observed to perform DLL side loading techniques to launch malware such as HK Door, Crosswalk, and others.


According to Microsoft - HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM'S modus operandi is to gain access to the victim network where victim data is then exfiltrated to file sharing sites like MEGA for possible Cyber Espionage.

Are HAFNIUM and Barium (APT41) the Same Group?

Although multiple reports suggest that both APT groups have been observed to use China Chopper and both are attributed to China, there is no further information at this time to correlate the two groups.

What Platforms Are of Exchange Server are Affected?

On-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 are affected. Exchange Server online is unaffected. Although not listed as affected, Exchange Server 2010 has mitigation guidance available for it. Please refer to the APPENDIX for more details.

How Serious of an Issue is This?


Are these the Same Vulnerabilities Exploited as the DearCry Ransomware Campaign?


How Widespread is this Attack?

Global. Attacks have been observed to affect multiple verticals and targets worldwide.

Are Patches Available for Microsoft Exchange Server?

Yes. Out of Band patches were available from Microsoft for download on March 2nd, 2021. It is recommended that all available patches for affected Microsoft Exchange servers are applied immediately, if feasible.

What is the Status of Coverage?

Samples mentioned by US-CERT in this latest malware analysis report are not publically available at this time. For reference, a comprehensive list of all known China Chopper malware protections can be found here. We will update this blog/threat signal should they become publically available.

The latest version of FortiEDR (5.0) will detect exploitation attempts of the China Chopper malware.

For Microsoft Exchange Server specific vulnerabilities, FortiGuard Labs has the following IPS coverage in place as:





We will update this threat signal with any other feasible updates once they become available.

Any Other Suggested Mitigation?

According to Microsoft and to protect against this attack, it is recommended to restrict untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain still can be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. it is recommended to prioritize installing the available patches on Exchange Servers immediately.

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.