CISA analyzed 15 files associated with China Chopper malware. The files are modified Offline Address Book (OAB) Virtual Directory (VD) configuration files for Microsoft Exchange servers. The files have been modified with a variant of the China Chopper webshell. The webshells allow an attacker to remotely access the server and execute arbitrary code on the system(s).referenced in this bulletin or otherwise.

CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system.

CISA received seven files for analysis. Six Java Server Pages (JSP) webshells and a Bourne Again SHell (bash) file. Five JSP webshell files are designed to parse inbound requests for commands for execution, download files, and upload files. One JSP webshell file contains a form with input fields that prompts the attacker to enter the command in the input box and click "run" to execute. The command output will be displayed in a JSP page. The bash file is designed to perform ldapsearch queries and store the output into a newly created directory.