Python PoshC2: Analysis of an IP Indicator of Compromise (IOC)

PacketWatch recently analyzed an open directory based on a tweet from Germán Fernández showing an IP that was hosting malicious files and code.

A large part of a security analyst's job at PacketWatch is threat hunting and incident response. Through research from many different sources, we will sometimes come across data that is incredibly interesting for many reasons, like this one.

In this instance, we observed multiple scripts that could be leveraged to disable security tools, delete backups, install and remove remote management tools, and deploy full C2 frameworks.

We also discovered the threat actor has two C2 frameworks at their disposal, plus the ability to run on both Windows and Linux environments.

To download the indicators of compromise (IOCs) we found, click here.

To learn how we got there, keep reading...

Setting the Scene

During our daily CTI research, PacketWatch came across this tweet from Germán Fernández showing an IP that was hosting malicious files and code:

While we could scan for and block the IP and simply move on, this data often can reveal a large number of valuable Indicators of Compromise (IOCs).

It's very common to see reused assets, code, and packages which could help in identifying or finding other malicious activity in any of our clients. Due to the wide range of hacking tools and scripts found in this directory, we wanted to do some further analysis to see if the files were still available.

Directory Analysis

Beginning our analysis and review of the suspicious IP, we found the open directory was still available (and remains so as of 12/11/2023):

The various .bat files contain commands to remove and disable various utilities, tools, and security software. These commands are commonly observed in droppers leading to ransomware deployments, such as shadow copy manipulation and backup deletion. We will also revisit the ‘native_dropper’ file in a bit.

The executables are all known malware/hacktool variants:

• Ngrok.exe – legitimate tool abused for proxy purposes
• Posh_v2_dropper_x64.exe – PoshC2 dropper, a PowerShell-based C2 executable
• Setup_uncnow.msi – Atera remote admin tool
• VmManagedSetup.exe – SystemBC (malware proxy)
• WILD_PRIDE.exe – Sliver C2 framework

Py_dropper.sh

One file that stood out in the list is the lone shell script called ‘py_dropper.sh’. Upon reading the contents of the script, we can see that it is just base64-encoded Python commands:

Body of py_dropper.sh (Encoded python commands)

After decoding the base64, we get a relatively un-obfuscated Python script:

Top section of decoded Python commands

From the start, we can observe interesting pieces of information. There are multiple key values hard-coded, as well as a reference to the same IP address that hosted the open directory, along with additional URL values, and a hard-coded user agent.

Running a simple GET request to the URL listed in the code with the sandbox default user agent resulted in a 404 error, indicating that the threat actor uses the user agent to filter unwanted requests.

By using curl and manually altering the user agent to match the one provided in the code, the suspected malicious IP returns a large body of hex-encoded data:

Small snippet of returned hex characters

After receiving this data, py_dropper then decodes the hex values into UTF-8, getting the SHA512 hash of the message body. It then looks for the ‘pykey’ value in the raw return body, and also matches the computed SHA512 hash against the ‘pyhash’ value as an integrity check, as well as checking that the current runtime is valid. After validation, the code then executes:

Code snippet showing hex decoding and integrity check

The data is then executed on the system, and decoding it to UTF-8 reveals the contents, the entire Python AES encryption library, complete with comments:

First two functions of the AES library

This method appears to allow the code to load the AES encryption library into memory without having to call it from the OS.

After py_loader finishes loading necessary components, it gathers various information on the host: ‘UID’, ‘PID’, ‘pname’ (which is hardcoded to “NA”), system architecture (‘x64 or ‘x86’), and hostname. The gathered information is run through the AES encrypt() function, also passing the hardcoded ‘key’ variable found at the top of the script. The resulting value is used in the GET request to the C2 server as ‘SessionID’.

Host information gathering, encryption, and web request

Once the payload is retrieved, it is decoded to UTF-8 and passed to the AES decrypt() function using the same key. The returned data is decoded and immediately executed:

Decryption of payload and execution

Stepping through the process manually, the payload is clearly encrypted:

Encrypted payload snippet immediately after GET request

After decryption, we can see the base64-encoded payload:

Encoded payload snippet after AES decryption

The payload is revealed to be more Python code, containing functions for keylogging, persistence, data exfiltration, and C2 communication:

Command modules

Persistence via crontab

Keylogger borrowed directly from Empire on Github

List of additional URLs on the C2 server

C2 return traffic encrypted and appended to an image file for exfiltration

Also of note, the initial Python dropper ‘implant’ code is baked into the larger final payload. This is included as a single function and is base64 encoded for obfuscation. Another function is able to write this implant to a .sh file in the /tmp/ folder:

Function to add or remove implant

Native_Dropper File and VirusTotal Findings

Another file that caught our eye in the open directory listing is a file called “native_dropper”. File analysis shows that this file is a 32-bit ELF binary:

native_dropper’ file type

Checking the file hash in VirusTotal shows an interesting result: Only one vendor flagged it correctly as PoshC2.

VirusTotal analysis of ELF binary

After validating this as PoshC2, now we see that ‘native_dropper’ is the Linux version of “Posh_v2_dropper_x64.exe”, a Windows version of the dropper. Searching the file hash on VirusTotal of the Windows version shows it is flagged by 54 AV vendors:

VirusTotal analysis of Windows binary

Additionally, strings analysis on the ‘native_dropper’ file shows that this ELF binary is simply a compiled version of the previously reviewed Python code, making it an alternative method for executing the PoshC2 code on a Linux machine:

Snippet of ‘strings’ analysis showing same C2 address, User Agent, URLs as Python loader

Infrastructure Analysis

Running the C2 IP in SOCRadar shows the IP is flagged as ‘High Risk’, and is hosted in Russia:

SOCRadar Reputation of C2 IP

We can also see that SOCRadar has tracking details on this IP dating back to Oct 10, 2023, pointing to it being a known C2 server:

SOCRadar historical reputation details

Continuing our analysis with Shodan, we can see the endpoint has been identified as a “PoshC2” and “Sliver C2” server:

Shodan IP details for port 443

Shodan IP details for port 31337

Pivoting off the html hash for port 443 (http.html_hash:-1700067737), we find 10 additional servers matching that hash as potential PoshC2 servers (IPs listed here):

Shodan pivot results

Final Thoughts

These open directory discoveries provide valuable insights into the toolkits and methodologies used by threat actors. In this instance, we observed multiple scripts that could be leveraged to disable security tools, delete backups, install and remove remote management tools, and deploy full C2 frameworks.

Threat actors tend to have multiple weapons in their arsenal that achieve the same goal.

The threat actor has two C2 frameworks at their disposal, plus the ability to run on both Windows and Linux environments.

As with most malware droppers, there are layers of obfuscation and multiple stages that facilitate the download and execution of the malware.

Understanding these toolkits and frameworks will help defenders stop adversaries before it is too late.

You can download a copy of the IOCs we found through this investigation here.

At PacketWatch, our mission is to safeguard your organization from cyber threats that others may miss. Our team of highly experienced and battle-hardened security professionals works directly with clients to establish full network visibility and an active defense approach to security, including full packet capture and threat hunting within their environment.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.