Hafnium’s China Chopper: a ‘slick’ and tiny web shell for creating server backdoors
A group of cyber attackers called Hafnium has allegedly been behind several attacks exploiting Microsoft zero-day vulnerabilities on the Microsoft Exchange Server. The hacking group originates from China and is known to target US industries such as defense, research, law, and higher education. To conduct their attacks, Hafnium leases virtual private servers in the US although they are located in China.
Trustwave has published an analysis of Hafnium’s popular tools, the China Chopper, which is a web shell typically used for post-exploitation activities. China Chopper has been detected in the wild for at least a decade and is hard to take down due to its size. The web shell only contains four kilobytes and two key components, a web shell command and control client binary and a text-based web shell payload.