China Chopper Malware Affecting SharePoint Servers

The Canadian Cyber Security Centre and Saudi Arabian National Cyber Security Centre have published advisories warning on the active exploitation of an exploit that grants remote code execution against Microsoft SharePoint. 

Security researchers have reportedly identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors.  

Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated. 

It is likely that the current campaign is leveraging CVE-2019-0604 in order to deploy the web shell. Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated.

Indicators of compromise

HASH Values

MD5 Hash: b814532d73c7e5ffd1a2533adc6cfcf8
SHA1 Hash: dc8e7b7de41cac9ded920c41b272c885e1aec279
SHA256 Hash: 05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4
Filename: pay.aspx

MD5 Hash: 708544104809ef2776ddc56e04d27ab1
SHA1 Hash: f0fb0f7553390f203669e53abc16b15e729e5c6f
SHA256 Hash: b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688

MD5 Hash: 0eebeef32a8f676a1717f134f114c8bd
SHA1 Hash: 4c3b262b4134366ad0a67b1a2d6378da428d712b
SHA256 Hash: 7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604
Filename: stylecss.aspx

IP Address

114.25.219.100

Suggested action

• All Microsoft SharePoint Server installations should be patched with the latest security update, dated 12 March 2019, using Microsoft Update, the Microsoft Update Catalog or the Microsoft Download Center.
• If a SharePoint instance serves strictly as an on-premises solution, ensure that the server has no exposure to the Internet.

The following versions of Microsoft SharePoint are known to be affected: 

• Microsoft SharePoint Enterprise Server 2016 
• Microsoft SharePoint Foundation 2013 SP1 
• Microsoft SharePoint Server 2010 SP2 
• Microsoft SharePoint Server 2019