Webshells Observed in Post-Compromised Exchange Servers
Original release date: March 25, 2021
CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.
CISA has also updated seven previously released MARs. The updated MARs now include an additional CISA-developed YARA rule to help network defenders detect associated malware.
CISA encourages users and administrators to review the following resources for more information:
- CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
- MAR-10328877-1.v1: China Chopper Webshell
- MAR-10328923-1.v1: China Chopper Webshell
- MAR-10329107-1.v1: China Chopper Webshell
- MAR-10329297-1.v1: China Chopper Webshell
- MAR-10329298-1.v1: China Chopper Webshell
- MAR-10329301-1.v1: China Chopper Webshell
- MAR-10329494-1.v1: China Chopper Webshell
- MAR-10329499-1.v1: China Chopper Webshell
- MAR-10329496-1.v1: China Chopper Webshell
- CISA web page Remediating Microsoft Exchange Vulnerabilities
- CISA web page Ransomware Guidance and Resources
This product is provided subject to this Notification and this Privacy & Use policy.