Associated Group Descriptions
Name
TG-3390
Emissary Panda
BRONZE UNION
APT27
Iron Tiger
LuckyMouse

CVE-2019-0604 to exploit SharePoint servers to gain initial access to targeted
networks. We would like to acknowledge the possibility of an overlap in the AntSword webshell,
as we stated that Emissary Panda used China Chopper in the April attacks and AntSword and
China Chopper webshells are incredibly similar. However, at this time we do not believe the April
attacks used AntSword based on artifacts analyzed on the SharePoint server, specifically none of
the IIS logs in the April attacks used the AntSword User-Agent in requests to the webshell that
were observed in the current attacks.

The actor uses the Awen webshell backdoor to execute commands to do an initial
discovery on the system and network, including user accounts (T1033 and T1087), files and
folders (T1083), privileged groups (T1069), remote systems (T1018) and network configuration
(T1016).

AntSword is a modular webshell that involves a very simple webshell that the actor would deploy
to the compromised server and a client application referred to as the AntSword Shell Manager.
The use of the client application differs from many other webshells that the actor would interact
with in a browser window. The actor would use the AntSword Shell Manager to interact with the
AntSword webshell on the compromised server, as the Shell Manager sends the appropriate
script to the webshell that will execute to carry out the desired action. To provide a sense of the
limited functionality within the webshell itself, the bitreeview.aspx AntSword webshell deployed in
this attack