Backdoor:ASP/Chopper.F

Backdoor:ASP/Chopper.F is a small web script (like only a few kilobytes) placed on an accessible path on the target web server. In the case of SharePoint and IIS, was often in the form of a .aspx file dropped into web-content directories after exploitation of something like CVE-2020-0688 in Microsoft Exchange and the Proxy Logon vulnerability series, involving CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The server-side component offers a password-gated function and when the user supplies code/commands performed from the associated operator-side client over HTTP requests.  

It will launch on the server side within the security context of the web application, which can include the SharePoint farm account based on configuration. This design avoids any obvious changes to the registry and relies on paths and permissions allowed for a typical web server. The ability to detect many of these scripts relies on the integrity of web content, web logs, and anomalous request patterns and not on persistence artifacts typical to Windows. 

Chopper has been implicated in campaigns against SharePoint servers that are directly related to exploitation of CVE-2020-0688 in Microsoft Exchange and the Proxy Logon vulnerability series, involving CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 in deploying the shell, where the vulnerability allows a threat actor to run arbitrary code in the context of the application pool and farm account. After the initial upload, the shell accepts HTTP commands containing password protected commands, using POST requests with form-encoded data to provide administrative access to a compromised system remotely. Given that the shell acquires execution context through the web server, the activity reflects back to the server as the w3wp.exe (IIS worker process) performing file operations or running low level Windows commands at the request of the threat actor. The minimal footprint it has on the compromised device and the command interface to run commands are two of the key indicators noted through extensive analysis that contribute to discovering the operational persistence and re-use across multiple exploits.