In recent ransomware developments, security researchers have discovered that the Hello ransomware (or WickrMe ransomware) has been exploiting the Microsoft SharePoint vulnerability to initiate ransomware cyberattacks alongside the China Chopper web shell.
Microsoft SharePoint Vulnerability:
Back in 2019, Microsoft has published a security advisory detailing a SharePoint vulnerability being exploited in the wild.
Tracked as CVE-2019-0604, Microsoft had patched the gap for the vulnerability, as was reported in the advisory.
However, since its first exploitation and striking attack in 2020, the marked exploitation of the bug is persistent in making news rounds time and again.
This time, by finding itself as a compelled ally for the Hello ransomware.
Detailing the ransomware attack perpetrated by the Hello ransomware, researchers have provided that to ignite a ransomware payload, the attackers abuse a Cobalt Strike beacon. The researchers believe the China Chopper web shell was used in a likely attempt to circumvent detection with known samples.
After initiating the attack to leverage arbitrary code execution, the China Chopper web shell is employed to execute a malicious script that reaches out in an attempt to pull down the other malicious code like CobaltStrike beacon.
What is the China Chopper Web Shell?
To the unaware, a web shell is a malicious web-based shell-like interface that enables remote access and control to a web server by allowing the execution of arbitrary commands.
The China Chopper is one such web shell, which is approximately 4 kilobytes in size, and was first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers.
A combined threat?
Experts analyzing the Hello ransomware gang’s initiation of the SharePoint bug exploitation and China Chopper web shells are contemplating the existence of additional entities involved with them.
The subject has been broached on the grounds that whether both, the SharePoint bug and China Chopper web shells, are consistently being used together to collaboratively create a peculiar level of access among the malicious actors and are capable of buying from several people.
“It’s also worth noting that two years later, the continued abuse of the vulnerability strongly implies that a huge number of companies still have not patched the gap,” the researchers said.
The scenario also directs the fact among security experts that for all the machine learning behavior technology and attack frameworks that have been established, malicious actors can still conduct mal-activities by employing simple command-line web shells that have been around for almost a decade.
It is also apparent that attack distribution techniques that the malicious actors employing are no novelty, even though the attack vector might be renewed.