stylecss.aspx

Stylecss.aspx is a form of malware, specifically a webshell, found on SharePoint servers. It's associated with the China Chopper code, a well-known webshell used by cybercriminals for remote control over a compromised server. The stylecss.aspx webshell operates similarly to other known webshells such as stylecs.aspx and pay.aspx, with notable differences in how they run JScript and accept parameters within their URLs. These webshells were identified in an advisory from the Canadian Center for Cyber Security, which highlighted their threat potential and similarities. The stylecss.aspx webshell shares significant similarities with the pay.aspx webshell, both part of the China Chopper suite. The primary difference between these two lies in the URL parameter they use: while pay.aspx uses 'vuiHWNVJAEF' to obtain and run JScript, stylecss.aspx and its counterpart stylecs.aspx utilize 'e358efa489f58062f10dd7316b65649e', the MD5 hash of 't'. This information was corroborated by the National Cyber Security Centre (NCSC) advisory, which noted the same filename, stylecss.aspx, being used for the webshell linked to China Chopper. However, there are distinct operational differences between stylecss.aspx and stylecs.aspx. Both run JScript provided within the 'e358efa489f58062f10dd7316b65649e' parameter of the URL, but stylecss.aspx does not accept base64 encoded JScript. Instead, it expects the JScript in cleartext, provided as URL safe text by the actor. This variation in behavior underscores the adaptability and sophistication of these malicious tools, making them a significant cybersecurity concern.