PacketWatch recently analyzed an open directory based on a tweet from Germán Fernández showing an IP that was hosting malicious files and code.
A large part of a security analyst's job at PacketWatch is threat hunting and incident response. Through research from many different sources, we will sometimes come across data that is incredibly interesting for many reasons, like this one.
In this instance, we observed multiple scripts that could be leveraged to disable security tools, delete backups, install and remove remote management tools, and deploy full C2 frameworks.
We also discovered the threat actor has two C2 frameworks at their disposal, plus the ability to run on both Windows and Linux environments.
To download the indicators of compromise (IOCs) we found, click here.
To learn how we got there, keep reading...
During our daily CTI research, PacketWatch came across this tweet from Germán Fernández showing an IP that was hosting malicious files and code:
While we could scan for and block the IP and simply move on, this data often can reveal a large number of valuable Indicators of Compromise (IOCs).
It's very common to see reused assets, code, and packages which could help in identifying or finding other malicious activity in any of our clients. Due to the wide range of hacking tools and scripts found in this directory, we wanted to do some further analysis to see if the files were still available.
Beginning our analysis and review of the suspicious IP, we found the open directory was still available (and remains so as of 12/11/2023):
The various .bat files contain commands to remove and disable various utilities, tools, and security software. These commands are commonly observed in droppers leading to ransomware deployments, such as shadow copy manipulation and backup deletion. We will also revisit the ‘native_dropper’ file in a bit.
The executables are all known malware/hacktool variants:
One file that stood out in the list is the lone shell script called ‘py_dropper.sh’. Upon reading the contents of the script, we can see that it is just base64-encoded Python commands:
After decoding the base64, we get a relatively un-obfuscated Python script:
Top section of decoded Python commands
From the start, we can observe interesting pieces of information. There are multiple key values hard-coded, as well as a reference to the same IP address that hosted the open directory, along with additional URL values, and a hard-coded user agent.
Running a simple GET request to the URL listed in the code with the sandbox default user agent resulted in a 404 error, indicating that the threat actor uses the user agent to filter unwanted requests.
By using curl and manually altering the user agent to match the one provided in the code, the suspected malicious IP returns a large body of hex-encoded data:
After receiving this data, py_dropper then decodes the hex values into UTF-8, getting the SHA512 hash of the message body. It then looks for the ‘pykey’ value in the raw return body, and also matches the computed SHA512 hash against the ‘pyhash’ value as an integrity check, as well as checking that the current runtime is valid. After validation, the code then executes:
The data is then executed on the system, and decoding it to UTF-8 reveals the contents, the entire Python AES encryption library, complete with comments:
First two functions of the AES library
This method appears to allow the code to load the AES encryption library into memory without having to call it from the OS.
After py_loader finishes loading necessary components, it gathers various information on the host: ‘UID’, ‘PID’, ‘pname’ (which is hardcoded to “NA”), system architecture (‘x64 or ‘x86’), and hostname. The gathered information is run through the AES encrypt() function, also passing the hardcoded ‘key’ variable found at the top of the script. The resulting value is used in the GET request to the C2 server as ‘SessionID’.
Once the payload is retrieved, it is decoded to UTF-8 and passed to the AES decrypt() function using the same key. The returned data is decoded and immediately executed:
Stepping through the process manually, the payload is clearly encrypted:
After decryption, we can see the base64-encoded payload:
The payload is revealed to be more Python code, containing functions for keylogging, persistence, data exfiltration, and C2 communication:
Command modules
Keylogger borrowed directly from Empire on Github
Also of note, the initial Python dropper ‘implant’ code is baked into the larger final payload. This is included as a single function and is base64 encoded for obfuscation. Another function is able to write this implant to a .sh file in the /tmp/ folder:
Another file that caught our eye in the open directory listing is a file called “native_dropper”. File analysis shows that this file is a 32-bit ELF binary:
Checking the file hash in VirusTotal shows an interesting result: Only one vendor flagged it correctly as PoshC2.
After validating this as PoshC2, now we see that ‘native_dropper’ is the Linux version of “Posh_v2_dropper_x64.exe”, a Windows version of the dropper. Searching the file hash on VirusTotal of the Windows version shows it is flagged by 54 AV vendors:
Additionally, strings analysis on the ‘native_dropper’ file shows that this ELF binary is simply a compiled version of the previously reviewed Python code, making it an alternative method for executing the PoshC2 code on a Linux machine:
Running the C2 IP in SOCRadar shows the IP is flagged as ‘High Risk’, and is hosted in Russia:
We can also see that SOCRadar has tracking details on this IP dating back to Oct 10, 2023, pointing to it being a known C2 server:
Continuing our analysis with Shodan, we can see the endpoint has been identified as a “PoshC2” and “Sliver C2” server:
Pivoting off the html hash for port 443 (http.html_hash:-1700067737), we find 10 additional servers matching that hash as potential PoshC2 servers (IPs listed here):
These open directory discoveries provide valuable insights into the toolkits and methodologies used by threat actors. In this instance, we observed multiple scripts that could be leveraged to disable security tools, delete backups, install and remove remote management tools, and deploy full C2 frameworks.
Threat actors tend to have multiple weapons in their arsenal that achieve the same goal.
The threat actor has two C2 frameworks at their disposal, plus the ability to run on both Windows and Linux environments.
As with most malware droppers, there are layers of obfuscation and multiple stages that facilitate the download and execution of the malware.
Understanding these toolkits and frameworks will help defenders stop adversaries before it is too late.
You can download a copy of the IOCs we found through this investigation here.
At PacketWatch, our mission is to safeguard your organization from cyber threats that others may miss. Our team of highly experienced and battle-hardened security professionals works directly with clients to establish full network visibility and an active defense approach to security, including full packet capture and threat hunting within their environment.
Our incident response services are trusted by prominent law firms, private equity groups, and cybersecurity companies nationally.
At PacketWatch, we are committed to providing our clients with the highest level of service and expertise, and we take pride in being a trusted partner in their cybersecurity journey.
If you are seeking guidance on how to level up your security operations, contact us today.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.