We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Backdoor:ASP/Chopper.ZC!dha
Aliases: No associated aliases
Summary
Backdoor:ASP/Chopper.ZC!dha is a type of malicious web shell that creates a backdoor on a web server that has been compromised. It falls under the larger Chopper family, which is a known tool used by threat actors in post-exploitation operations. This malware consists of a small server-side script written in either ASP or ASPX that allows the threat actors to launch commands from a remote location, with a user-friendly web front-end, after it is uploaded to the vulnerable server. The use of this malware type has been associated with the exploitation of the following vulnerabilities of public-facing servers: CVE-2020-0688 in Microsoft Exchange and the Proxy Logon vulnerability series, involving CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
The "!dha" suffix in the detection name indicates that this is a heuristic or behavioral detection. This means that the identification occurs by analyzing suspicious actions and patterns of code that are like known backdoor behaviors as opposed to having a unique, identified fingerprint. Heuristic detection is used for new variants of known malware families or for detecting threats that exhibit polymorphism that modify the code that is visible on the surface, making it hard to detect.
- Identify and remove unauthorized .aspx web shell files from all web directories.
- Apply security patches and other SharePoint/IIS vulnerabilities.
- Examine IIS and application logs for repeated requests to a single endpoint with unusual parameters or authentication bypass attempts.
- Rotate credentials for SharePoint application pool and farm accounts to prevent continued access.
- Validate web directory integrity against backups or source-controlled versions to ensure no hidden shells remain.
- Audit for lateral movement or data staging activities initiated through w3wp.exe during the compromise window.
- Conduct full host triage to confirm no secondary payloads or additional shells exist in nested site collections or custom paths.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
