Hacking Book | Free Online Hacking Learning


sample analysis of a quasi apt attack against a chinese organization

Posted by forbes at 2020-04-07

Anti cert

First release time: 14:32, May 27, 2015; update time: 14:32, May 27, 2015

Pdf Report Download

In an attack scenario, the attacker relies on shellcode generated by cobalt strike, which uses beacon mode for communication, to achieve the ability of remote control of the target host. This attack mode is reflected in the target host: no malicious code entity files, sending network heartbeat packets every 60 seconds, using cookie fields to send data information and other behaviors. To some extent, these behaviors can avoid the killing of the host security protection detection software and the interception of the firewall. In view of the relationship between this attack and the cobalt strike platform, we temporarily name this attack event apt TOCS (TOCS, take the meaning of thread on cobalt strike) The core step of apt-tocs attack is to load the script function of shellcode and call powershell.exe from the command line to load a piece of encrypted data into memory for execution. The decrypted data is an executable shellcode generated by cobalt strike, an automated attack test platform. According to the script loading shellcode, the analysis team of Antan has associated a PE program that may be used as the script leading execution file in similar attacks. However, since the related script can be executed in many ways, it does not necessarily depend on the leading PE program loading, and it is cobalt The standard attack script generated by strike cannot determine the association of the leading PE file with this attack. This method based on script + shellcode injects memory to perform no hard disk write operation, uses beacon mode for communication, supports multi beacon communication, and can work with multiple beacons at the same time. This kind of attack can not rely on the carrier file, but can rely on the network delivery ability and the intranet horizontal movement on-demand delivery, which will bring great difficulties to the forensic work, and some sandbox detection products also have no effect on this kind of attack. Although the attack capability of apt-tocs seems to be close to that of apt, it is not more dependent on the capability of the attack team itself, but on the commercial automated attack test platform.

2.1 lead file and sample loading

Apt-tocs uses the script of "PowerShell. Exe" to execute shellcode to realize the remote control of the target system. Antai analysts believe that attackers have a variety of remote injection means that can ultimately achieve multiple script loading permissions, such as using security flaws or vulnerabilities to directly implement script execution on the host. At the same time, through association analysis, it is found that the following binary attack leading file (hereinafter referred to as sample a) has been used for similar attacks:

Name of virus


original filename




Processor architecture


file size

72.0 KB (73802 bytes)

file format


time stamp

2009-05-10 07:02:12

digital signature


Shell type


Compiler language

Microsoft Visual C++

The script embedded in the PE sample is the same as the shellcode script function code obtained by Antan, but there are differences in encrypted data. The PE sample was uploaded to VirusTotal for the first time on May 2, 2015.

This PE sample uses winexec to run embedded malicious code:

From this, we can see that this "lead file" can be used as a lead of similar attacks, relying on system and application vulnerabilities, not relying on similar files, can still achieve script execution and final control. At present, it is not certain that this leading sample is related to this apt event.

2.2 key mechanism

The core of remote control of apt-tocs attack is the encrypted data script loaded by PowerShell (hereinafter referred to as sample_berb). Figure 1 shows the derivative relationship and main functions of each module of the script:

2.3 main sample analysis of apt-tocs

The content of sample B file (the content of Base64 has been omitted) is as follows:

The function of this part of script is: decrypt the base64 encrypted content, decompress it with gzip, get module 1, and use PowerShell to load and execute it.

2.4 script 1 Analysis

The content of script 1 (the content of Base64 has been omitted) is as follows:

The function of this part is to decrypt the data encrypted by Base64, get module 1, write it into the powershell.exe process, and then call execution.

2.5 module 1 Analysis

The main function of this module is to call the function of WinInet module, connect the network, download module 2, and load it into memory for execution.

Figure 6 HTTP get request


2.6 module 2 Analysis

Module 2 creates and suspends the system process rundll32.exe:

Figure 7 creating a pending system process rundll32.exe

Data written to module 3:

Figure 8 data written to module 3

Although the data of module 3 starts with "MZ", it is not PE file, but shellcode with backdoor function.

Figure 9 shellcode starting with MZ (4D 5a)

2.7 module 3 Analysis

The module will connect two addresses with port number of 80: 

███████████████████████ (Romania) 


Send request data and receive return data.

Figure 10 sending request data

The above IP, domain name and access address are decrypted by XOR 0x69. Judging from the string of the module and the system function called, the module is a backdoor program, which will actively send a get request to the specified address, and use the cookie field to send the heartbeat packet, with an interval of 60 seconds. Heartbeat packet data includes check code, process ID, system version, IP address, computer name, user name, whether it is a 64 bit process, and uses RSA and base64 encryption and coding.

Figure 11 original data of heartbeat packet

Because of the difference between the process ID and the check code, the heartbeat packet data of each transmission is different. The check code is calculated by using the process ID and the number of milliseconds the system has been started. The algorithm is as follows:

Figure 12 check code algorithm

Encrypted heartbeat packets are transmitted using cookie fields:

Figure 13 packet content

The method and method of using PowerShell for the PE leading files sample a and sample B associated with Antian cert analyst are exactly the same, but they should be highly standardized for related scripts, which does not exclude that sample a is not necessarily related to this attack. Based on the comprehensive analysis of other situations, we still judge that it is a series of attacks. The attackers may use social work email, file binding, system and application vulnerability utilization, horizontal movement of the intranet and other ways to control the target host. While analyzing "module 1", we found string such as "beacon". Relying on the past analysis experience, we suspect that the shellcode is closely related to the automatic attack test platform cobalt strike. Therefore, the analyst compares and analyzes the beacon generated by using cobalt strike to verify the relationship between the two. Cobalt strike is a GUI based framework penetration tool, cobalt The commercial version of strike integrates service scanning, automatic overflow, multi-mode port monitoring, multiple Trojan generation methods (DLL Trojan, memory Trojan, office macro virus and beacon communication Trojan), phishing attack, site cloning, target information acquisition, browser automatic attack, etc.

3.1 module 1 Comparison

Comparing module 1 with the payload generated by beacon, we find that there are only three differences: the head data sent when get request, the file name and IP address of the request.

In Figure 14, module 1 is compared with sample module 1 on the left and module generated by beacon on the right. From the comparison in the figure, it can be concluded that module 1 is generated by beacon. The screenshot of the packet at the time of request is as follows:

Figure 15 comparison of contract data of module 1

3.2 module 2 disassembly instruction comparison

The analyst compares the module 2 of the sample with the files related to beacon, and finds that the disassembly instructions of the two are completely the same except for the function code, including XOR decryption at the entrance, loading system DLL, obtaining function address, function call mode, etc., as follows:

Sample module 2

Beacon related files

Entrance XOR decryption (using x86 / Shikata ﹣ GA ﹣ Nai deformation)

Entry code after decryption

function call

3.3 module 3 data package comparison and analysis

The following is a comparison of get requests of the module generated by sample module 3 and beacon. It can be seen that both of them use cookies to transmit information. The information is encrypted and the request is sent actively every 60 seconds. The data is online package / heartbeat package.

Figure 16 packet comparison of module 3

3.4 cobalt strike features

The attack of cobalt strike can perform many operations in the target system, such as downloading files, uploading files, executing specified programs, injecting keyboard recorders, executing commands through PowerShell, importing PowerShell scripts, executing commands through CMD, grabbing system password by mimikatz, etc. Cobalt strike has the following characteristics:

Using the automatic attack test platform cobalt strike to carry out attack penetration has the ability to penetrate the firewall, and the way to control the target host is very hidden and difficult to be found; at the same time, it has the ability to attack multiple platforms, such as windows, Linux, MAC, etc.; at the same time, it has the ability to fight against the trusted computing environment, cloud detection, Sandbox detection and other security links and means. According to the past tracking of Antai, this threat has existed for nearly five years, but there is still a lack of effective products and means to detect similar threats. Antian cert analysis team positioned apt-tocs event as quasi apt event because on the one hand, the attack event conforms to the characteristics of apt attack for highly targeted target operation, and has strong concealment and multiple anti detection means. But at the same time, Compared with many apt events that we are familiar with in the past, the attackers have extremely high cost bearing ability and huge capacity reserve. The cost threshold is not high. The malicious code of the event is not written and constructed by the attackers themselves. The commercial attack platform makes the attackers no longer need the high development cost of malicious code. The relevant attack platform also provides the attackers with A large number of optional injection means provide a supporting method for malicious code loading and persistence, which reduces the cost of attack, so that countries and organizations that lack abundant funds and elite hackers can approach the level of apt attack relying on the services provided by existing commercial attack platforms, and this highly "patterned" attack will also make the attack lack of distinct genes Features, making it harder to trace. We should not only refer to Bruce schiner, the predecessor of information security, once again, "when there are some major information security attacks, they are all considered as examples of cyber warfare. I think it's nonsense. I think the trend that is happening now and really important is that more and more tactical actions in wars are spreading to a broader cyberspace environment. This is very important. The spread of capabilities can be realized through technology, especially computer technology, which can automate the attack behavior and capabilities. "Obviously, the highly automated commercial attack platform has made this capability spread faster than we predicted. What we need to remind all parties of is that, in view of the low cost of replication of cyber attack technology, there is already a serious risk of cyber arms proliferation. The emergence of commercial penetration attack test platform, on the one hand, has become an effective tool to test system security, but it will become a nightmare for countries, industries and institutions that lack sufficient security budget and are difficult to bear more security costs. On this issue, on the one hand, more communication and consensus need to be established in all aspects; on the other hand, there is no doubt that the current superpowers with the world's top capabilities at both ends of attack and defense should take more responsibility for effectively controlling the proliferation of such weapons level attack means. At the same time, apt-tocs, like many of the events we have found before, reflects the severe network security challenges faced by a country with a population of 1.3 billion and undergoing large-scale information construction. Of course, it also witnesses the efforts of Chinese users and security enterprises to cope with this challenge.

Cobalt strike is a commercial version of Armitage. Armitage is a penetration test software for Metasploit graphical interface written in Java. It can be used in combination with the known exploits of Metasploit to automatically attack the existing vulnerabilities. Under BT5 and Kali Linx, Armitage, a free version, is integrated. The most powerful function is that there are multiple payloads of beacon. Cobalt strike first released June 2012



Cobalt strike 1.45 and earlier

You can connect to the local windows Metasploit, which is not supported later. You must connect to the remote Linux Metasploit.

Cobalt Strike1.46

The system analyzer uses the return measure to check the Java report version information, and fixes the key generation vulnerability.

Cobalt Strike1.47

It eases beacon's multiple information backlog and performs a comprehensive check when the listener is turned on.

Cobalt Strike1.48

Beacon added the timestamp command; bypass UAC privilege file replication completed waiting for 10 seconds.

Cobalt Strike1.49

Fixed beacon HTTP stager load generator for Windows XP.

Cobalt Strike2.0

Plasticity of command and control adds the "veil" option to the load generator.

Cobalt Strike2.1

The PowerShell command starts the local main PowerShell; the build.sh tool is updated.

Cobalt Strike2.2

The reconstruction process injects and connects to the VNC server on the target system. The new process is more easily ignored due to the host based firewall. The vulnerability report shows URL references from zdi, MSB, us-cert-vu and wpvdb.

Cobalt Strike2.3

Encode the DNS stage of beacon with a customized encoder; beacon adds the runas command and PWD command.

Cobalt Strike2.4

Add time stamp to view - > Web log entry; regenerate the default beacon HTTPS certificate with different parameters; now generate plastic C2 HTTPS certificate with different parameters; update the default toolkit of executable file and DLLs.

The author of cobalt strike: Raphael Mudge (USA), the founder of strategic cyber LLC (Strategic Network Co., Ltd.), developed software for red team based on Washington company, and created Armitage, sleep programming language and IRC client jircii for metaslpoit. Previously, he was a security researcher in the U.S. Air Force and a tester of penetration experiments. He set up and invented a grammar detector and sold it to automatic. Publish multiple articles and give lectures on safety topics on a regular basis. Provide red team for many network defense competitions and participate in hacker conference 2012-2014.

Education background: Syracuse University, Syracuse University, Michigan University of science and technology currently employed: Strategic cyber LLC; Delaware Air Force National Guard skills: software development, information security, object-oriented design, distributed system, graphical interface, computer network design, blog system, social engineering, security research, etc

Company / project / Organization



Strategic cyber LLC

Founders and principals

From January 2012 to now

Delaware Air Force National Guard

Leadership, traditional reserve

2009- to date

Cobalt strike

Project Leader



Senior safety engineer



Code Wrangler


Feedback Army, After the Deadline



Air Force Research Laboratory

System Engineer


US Air Force

Communications and Information Officer


Organizations supported: University Network Defense competition (CCDC) North East CCDC 2008-2015 East region Mid Atlantic CCDC 2011-2015 Pacific Rim CCDC 2012, 2014 southeast East CCDC - 2014 West Regional CCDC - 2013 national CCDC 2012-2014 project: sleep scripting language (extensible general language, using perl language inspired by Java platform) sleep is open source, licensed by LGPL. Jircii (scriptable client of multi person online chat system, windows, Mac OS X, Live fire security testing with Armitage and Metasploit, Linux magazine get in through the backdoor: Post exploitation with Armitage, hakin9 magazine Tutorial: hacking Linux with Armitage, ethicalhacker.net, the design of a proofreading software service, naacl hlt2010 computer linguistics and writing seminar, agent-based traffic generation, hakin9 magazine, etc Cortana scripts Metasploit loader malleable-c2-profiles layer2-bidding-client army project: after the deadline feedback army cobalt strike open source software Armitage Far East jirci moconti one hand Army man s phperl same game sleep information reference link: https://plus.google.com/11689957642591292745/posts (google+) https://github.com/rsmudge (GitHub) https://www.youtube.com/channel/UCJU2r634VNPeCRug7Y7qdcw (youtube) http://www.oldschoolirc.com/ https://twitter.com/rsmudge http://www.hick.org/~raffi/index.html http://www.blackhat.com/html/bh-us-12/speakers/Raphael-Mudge.html http://www.linkedin.com/in/rsmudge

Starting from the anti-virus engine R & D team, Antan has developed into an advanced security product supplier with four R & D centers, monitoring and early warning capabilities covering the whole country and products and services radiating to many countries. After 15 years of continuous accumulation, Antan has formed a massive security threat knowledge base, and comprehensively applied the experience of network detection, host defense, unknown threat identification, big data analysis, security visualization and other aspects to launch advanced products and solutions to persistent and advanced threats (APT). Antan's technical strength has been recognized by industry management agencies, customers and partners. Antan has been awarded the national level safety emergency support unit qualification for four consecutive years, and is also one of the six first level support units of cnnvd. Antan mobile detection engine won the world's first av-test (2013) annual award for Chinese products, and more than ten famous security manufacturers in the world have chosen Antan as a detection capability partner.

Wechat scanning focuses on Antan