stylecs.aspx

Stylecs.aspx is a type of malware, specifically a webshell, that was found on a SharePoint server. It's associated with the China Chopper code, a known hacking tool used by cybercriminals, and it forms part of a series of related webshells including stylecss.aspx and test.aspx. These webshells were discovered to have significant similarities, as detailed in Table 1, suggesting they are all linked to the same malicious activity. The discovery of this malware indicates an attempt to exploit the server, potentially disrupting operations or stealing sensitive data. The stylecs.aspx webshell is particularly potent due to its ability to run any supplied JScript code provided within the HTTP request. This functionality was written into the webshell by its developer, making it a versatile tool for executing various types of malicious activities. Its counterpart, test.aspx, operates similarly, running base64 encoded JScript provided in the URL of the request. This suggests that the two webshells may be used in tandem to execute complex attacks. On the other hand, the stylecss.aspx webshell, while similar to stylecs.aspx, has a distinct difference: it does not accept base64 encoded JScript. Instead, it expects the JScript in cleartext provided as URL safe text within the e358efa489f58062f10dd7316b65649e parameter of the URL. Interestingly, both stylecs.aspx and stylecss.aspx use the same parameter, which is the MD5 hash of 't'. This commonality further underscores the connection between these webshells and their shared origin, hinting at a coordinated attack strategy by the threat actors.