The Cybersecurity and Infrastructure Security Agency (CISA) has published reports on DearCry ransomware and China Chopper Web Shell malware linked to recent Exchange Server exploits. Attackers can use this malware to further compromise on-premise Microsoft Exchange servers and launch other attacks.
That report also followed a CISA and FBI urgent joint cybersecurity alert last month on the Microsoft Exchange vulnerability exploits. Malicious cyber actors used zero-day exploits (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to compromise thousands of Exchange servers around the globe.
In the updated alert, CISA added new information on DearCry ransomware and also seven China Chopper Web Shell malware analysis reports (MARs). Additional reports have been added for a new China Chopper Web Shell MAR and DearCry MAR on March 25 and April 12, respectively.
Microsoft’s Security Intelligence team tweeted out information on DearCry ransomware used after compromising on-premise Exchange servers:
Microsoft further recommended Exchange Server customers urgently prioritize security updates as noted here.
In addition, CISA provided a Ransomware web page for guidance and resources organizations can use to raise awareness and provide actions organizations can use to help combat ransomware threats.
Furthermore, CISA added another malware analysis report on April 12 under AR21-102B (MAR-10330097-1.v1: DearCry Ransomware). The DearCry malware encrypts files on a device and demands ransom in exchange for decryption.
China Chopper Web Shells
CISA also provided malware details on a collection of nine malware strains dubbed China Chopper Web Shell malware.
The 11 malware samples include:
- AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell
- AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell
- AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell
- AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell
- AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell
- AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell
- AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell
- AR21-084A*: MAR-10329496-1.v1: China Chopper Webshell
- AR21-084B*: MAR-10329499-1.v1: China Chopper Webshell
- AR21-102A**: MAR-10331466-1.v1: China Chopper Webshell
Two new webshells* (AR21-084A and AR21-084B) were added on March 25, 2021.
An additional China Chopper webshell** (AR21-102A) was added on April 12, 2021.
Attackers can use a webshell (a type of script) to upload to a compromised Exchange Server to enable remote administration of the system. These webshells can further be used to steal credentials, upload additional malware (such as used for watering hole attacks) or to use as command-and-control infrastructure, to name a few.
CISA also provided further Threat Awareness and Guidance on web shells to help organizations in fighting similar threats.
Readers can also check out more information on the Microsoft security advisories related to the Exchange Server RCE vulnerabilities exploited in the wild.
Updates on March 29: This article was updated to include two new China Chopper Webshell MARs.
Updates on April 13: This article was updated to include one new China Chopper Webshell MAR and an additional DearCry MAR.
- FBI and CISA issue urgent joint cybersecurity advisory on Exchange server hacks
- Microsoft releases emergency patches for Exchange Server RCE vulnerabilities exploited in the wild (Updated)
- Threat actors are launching web shell attacks
- Patch these 10 most commonly exploited vulnerabilities
- Egregor Ransomware targets retail giant Cencosud, prints ransomware notes
- Ryuk ransomware and Trickbot operators target U.S. hospitals and healthcare providers