We’ve observed that in some cases, malicious actors insert this short script to avoid detection: When simplified, the malicious script looks like this, with the eval being the executor and the Request.Form acquiring the parameter to be executed: The attack features the following script: Outlook Web App (Web Directory) - D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\\scripts\premium\premium.aspx Through the ASPX file, malicious actors can establish a foothold in affected public-facing Outlook Web App (OWA) servers and send remote commands through them.
![aspx file reader aspx file reader](https://techmused.com/wp-content/uploads/2017/08/Print-popup.png)
However, the malicious actors behind this attack drop the Chopper web shell in the web directory folder to establish persistence.
#ASPX FILE READER PATCH#
Microsoft issued a patch for this vulnerability in February 2020. One notable vulnerability in the Microsoft Exchange Server is CVE-2020-0688, a remote code execution bug.
![aspx file reader aspx file reader](https://lasopagplus289.weebly.com/uploads/1/2/7/3/127368563/451588476.png)
Technical Analysisīased on our investigation, the Chopper web shell is dropped via a system token, potentially via a Microsoft Exchange Server vulnerability. In this blog, we will dissect a targeted attack that made use of the Chopper ASPX web shell (detected by Trend Micro as ).
![aspx file reader aspx file reader](https://media.itpro.co.uk//image/upload/f_auto,t_content-image-mobile@1/v1619182970/itpro/2021/04/Renaming_a_file.jpg)
Threats such as this can be difficult to detect even with multiple security layers - especially if they are not consolidated. In as little as 15 bytes, web shells can enable remote administration of an infected machine or system. Web shells can be embedded on web servers and can be used by malicious actors to launch arbitrary code. These malicious code pieces can be written in ASP, PHP, and JSP, or any script that can execute a system command with a parameter that can pass through the web. Web shells, in their simplicity and straightforwardness, are highly potent when it comes to compromising systems and environments.