Chopper ASPX web shell used in targeted attack

Based on Trend Micro researchers investigation, the Chopper web shell is dropped via a system token, potentially via a Microsoft Exchange Server vulnerability. One notable vulnerability in the Microsoft Exchange Server is CVE-2020-0688, a remote code execution bug. Microsoft issued a patch for this vulnerability in February 2020. However, the malicious actors behind this attack drop the Chopper web shell in the web directory folder to establish persistence.

Through the ASPX file, malicious actors can establish a foothold in affected public-facing Outlook Web App (OWA) servers and send remote commands through them.

Read more…
Source: Trend Micro