14 DAY TRIAL // Two Chinese security researchers have created a new Web shell that they open-sourced on GitHub for everyone to use, including the bad guys.
Seen for the first time in December 2015, this new tool, named Cknife, is coded in Java and includes server-side components that allow it to connect to Java, PHP, ASP, and ASP.NET servers.
The authors of this new tool are two Chinese security researchers, Chora and MelodyZX, also known as MS509Team.
Cknife created as a modern clone of China Chopper
According to a Recorded Future investigation, the two wanted to create a clone of China Chopper, a very efficient yet outdated (code-wise) Web Shell that was launched in 2013 and has been the preferred tool of Chinese red teams, criminal groups, and APTs.
There are a few things that Cknife and China Chopper have in common, like an icon and some quirks in dealing with HTTP requests, but the two tools are otherwise different, with Cknife being coded in Java while China Chopper was written in C++.
Additionally, Cknife opens connections between the Web shell GUI and the infected server via HTTP while China Chopper uses HTTPS. Recorded Future says that Cknife authors promised to add support for HTTPS in the coming months.
Recorded Future: Cknife is a RAT for Web servers
Current Cknife capabilities allow a user to connect to multiple servers at once, connect to both Web servers and databases, and run a remote shell for command line access.
Judging by the large number of features and the fancy GUI that even supports several skins, Recorded Future calls Cknife more of a "RAT for Web servers" rather than a classic Web shell, which is usually very barren in terms of options and rarely comes with a graphical user interface.
Despite the two Cknife creators having successful careers as security researchers, they crossed the gap between white hat and black hat hackers when they decided to open-source a tool that can be more useful to cyber-criminals than to regular infosec professionals.
"Cknife is a credible threat that Chinese actors have been discussing (and likely using) for the past six months," the Recorded Future team warns. "Given the broad attack surface area around web servers and their respective applications and frameworks, and the historic success of its predecessor China Chopper, Cknife is a legitimate threat that should be seriously addressed in the immediate future."
