Attackers Using Red Teaming Tools for Cyberattacks
While conducting our routine threat hunting exercises, Cyble Research and Intelligence Labs (CRIL) came across instances of the PowerShell Empire command and control (C&C) infrastructure. The PowerShell Empire is a post-exploitation red teaming tool used for creating stagers that connect to C&C servers after an initial compromise through vectors such as phishing emails, exploiting public-facing IT systems, and watering hole attacks, etc.
For additional clarity, we hunted for PowerShell Empire-related files in the wild and successfully identified multiple infections. The following figure shows the C&C infrastructure of PowerShell Empire.
Windows PowerShell is a popular tool utilized for managing the IT infrastructure in an organization. It comes pre-installed in Windows 7 and higher versions. It can utilize the .NET framework and Win32 APIs using the command line for multiple operations. Being a legitimate tool of Microsoft, PowerShell is typically whitelisted by multiple vendors.
PowerShell Empire was created by the Veris Group security practitioners Will Schroeder, Justin Warner, Matt Nelson, and others in 2015. In the past, various APT groups have used this tool, with a few of the notable groups being Turla, APT19, MuddyWare, APT41, APT33, and FIN10. According to its official GitHub repository page, the project has not been updated since 2019. Because of its capabilities, threat actors and security researchers use it for various post-exploitation activities, such as system information collection, pivoting, running additional reverse shell modules, and searching for file systems, etc.
The PowerShell Empire framework is similar to the tools used by nation-state actors for stealth APT operations. According to SANS Institute, Empire’s C&C traffic is asynchronous, encrypted, and designed to blend in with normal network activity. This makes it difficult for security researchers to identify the Empire’s communication inside an enterprise network.
The framework is based on a client and server architecture. To develop the payload and C&C, the PowerShell Empire server and clients should be up and running. The PowerShell Client is used to create a listener and stager for performing the attack.
In the PowerShell Empire framework, the listener is the C&C, and the stager is the payload to be executed on the compromised system. After a successful initial compromise, the victim system will communicate to the C&C and register itself as an agent. Then, using the listener, the attacker can easily manage the compromised system.
The figure below shows the client and server of the PowerShell Empire.
Before attacking any system, the threat actor needs to set a C&C server. This server is called the listener. It listens to the connection from the victim machine and in return establishes the connection with the stager. The following image shows the listener module of Empire.
Stagers are similar to the payload, and after the initial compromise, stagers are dropped and executed on the victim system.
The agent is the compromised system. Empire provides a C&C framework to remotely manage multiple compromised systems at a single point. The image below showcases the Agent panel of the Empire PowerShell.
During our analysis, we generated the .hta stager payload and executed it in the target Windows machine. The .hta stager we generated launched a PowerShell command using wscript.exe. The command contained Base64 encoded shellcode required for ensuring a reverse connection, as shown in the below figure.
The figure below shows the decoded shellcode containing the browser agent and the URL for communication. To avoid detection, the C&C is further obfuscated in the script.
After execution, the client gets the reverse connection using the listener and retrieves the compromised system details. The following figure shows the reverse shell from the victim’s system.
The figure below shows the C&C communication. The network traffic is encrypted and designed to be mixed with the normal network activity. The agent continuously sends the GET request to receive commands from the C&C for performing other malicious activities.
From the communication, we can see that the three requests listed below are continuously used for C&C communication.
Red teaming tools are critical for mimicking adversaries in order to garner insights for strengthening the cyber infrastructure of an organization. Contrary to intended users, threat actors also employ these tools to perform highly stealthy and dangerous attacks against their targets. This makes it imperative for security leaders and defenders to have a detailed understanding of such tools for securing their organizations. In the course of our threat research, we have observed similar trends earlier, wherein malware developers were seen providing highly sophisticated tools to cybercriminals for financial gain. CRIL will continue monitoring the latest threat actors and trends across the surface, deep, and darkweb and keep our readers informed on the latest cybersecurity challenges and updates.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Privilege Escalation||T1055||Process Injection|
|Defense Evasion||T1027||Obfuscated Files or Information|
Indicators of Compromise (IoCs)
|Netflix Checker by GOD Cracked By GM`ka.rar|