There are simple ways to search for the presence of the web shell using the command line on both Linux and Windows based operating systems.” (FireEye has a handy guide… ) “The most effective way to detect and mitigate China Chopper is on the host itself, specifically on public-facing web servers. Once a machine is compromised, China Chopper can use the file-retrieval tool ‘wget’ to download files from the internet to the target, and edit, delete, copy, rename, and change the timestamp of existing files. China Chopper, which is just 4kb in size, is a widely used web shell. They can then be used to pivot to further hosts within a network. Web shells are malicious scripts which are uploaded to a target host after an initial compromise.
Regular patching and updating, along with the use of a modern antivirus programme stops most variants, the NCSC said, adding that organisations should be able to collect antivirus detections centrally across its estate. Creation of new files and directories with obfuscated or random names.Connection attempts to known malicious IP addresses.Significant increase in disk activity and/or network traffic.Inability to open the Windows registry editor or task manage.Inability to restart the computer in safe mode.It is primarily delivered through emails as an attachment.”
JBiFrost allows actors to pivot and move laterally across a network, or install additional malicious software.
It poses a threat to several different operating systems, including Windows, Linux, MAC OS X and Android. “The JBiFrost RAT is Java-based, cross-platform and multifunctional.
While there are a wide range of RATs circulating, JBiFrost is increasingly being used in targeted attacks against critical national infrastructure owners and their supply chain operators, the NCSC said. They can be used to install backdoors and key loggers, take screen shots, and exfiltrate data. RATs allow remote administrative control. Reiterating the need for basic security hygiene, the report emphasises that initial compromises of victim systems usually exploit common security weaknesses like unpatched software software vulnerabilities: “The tools detailed here come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.”