This is a simulation of attack by (Energetic Bear) APT group targeting “eWon” is a Belgian producer of SCADA and industrial network equipmen, the attack campaign was active from January 2014,The attack chain starts with malicious XDP file containing the PDF/SWF exploit (CVE-2011-0611) and was used in spear-phishing attack. This exploit drops the loader DLL which is stored in an encrypted form in the XDP file, The exploit is delivered as an XDP (XML Data Package) file which is actually a PDF file packaged within an XML container. I relied on Kaspersky tofigure out the details to make this simulation: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080817/EB-YetiJuly2014-Public.pdf
This attack included several stages including exploitation of the (CVE-2011-0611) vulnerability which allows attackers to overwrite a pointer in memory by embedding a specially crafted .swf, The XDP file contains a SWF exploit CVE-2011-0611 and two files encrypted with XOR stored in the XDP file One of the files is malicious DLL the other is a JAR file which is used to copy and run the DLL by executing the Cmd command line
-
CVE-2011-0611: this module exploits a memory corruption vulnerability in Adobe Flash Player versions 10.2.153.1 and earlier, i maked Modified version of the exploit based on Windows 10.
-
CVE-2012-1723: this exploit allows for sandbox escape and remote code execution on any target with a vulnerable JRE (Java IE 8).
-
XDP file: this XDP file contains a malicious XML Data Package (XDP) with a SWF exploit (CVE-2011-0611), It also includes functionality to download additional files via HTML-Smuggling by apache host.
-
HTML Smuggling: the html-smuggling file is used after uploading it to the apache server to download other files, One of the files is DLL payload the other is a small JAR file.
-
JAR file: this jar file used to copy and run the DLL by executing the cmd command.
-
DLL payload: the attackers used havex trojan, havex scanned the infected system to locate any supervisory control and data acquisition SCADA.
-
Encrypted with XOR: the XDP file contains a SWF exploit and two files encrypted with XOR.
-
PHP backend C2-Server: the attckers used hacked websites as simple PHP C2 Server backend.
-
Final result: make remote communication by utilizes XOR encryption for secure data transmission between the attacker server and the target.
This module exploits a memory corruption vulnerability (CVE-2011-0611) in Adobe Flash Player versions 10.2.153.1 and earlier. The vulnerability allows for arbitrary code execution by exploiting a flaw in how Adobe Flash Player handles certain crafted .swf files. By leveraging this vulnerability, an attacker can execute arbitrary code on the victim's system.
sudo cp EnergeticBear_exploit.rb /usr/share/metasploit-framework/modules/exploits
sudo updatedb
msf6 > search EnergeticBear_exploit
This Modified version of the exploit CVE-2011-0611 based on Windows 10 ,the original exploit from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
This vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. if you need know more about CVE-2012-1723: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Java/CVE-2012-1723!generic&threatId=-2147302241
use exploit/multi/browser/java_verifier_field_access
The attackers actively compromises legitimate websites for watering hole attacks. These hacked websites in turn redirect victims to malicious JAR or HTML files hosted on other sites maintained by the group (exploiting CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723 in Java 6, Java 7, IE 7 and IE 8), These hacked websites will be using a simple PHP C2 Server backend.
The exploit is delivered as an XDP (XML Data Package) file which is actually a PDF file packaged within an XML container. This is a known the PDF obfuscation method and serves as an additional anti-detection layer. if you need know more about XDP file: https://filext.com/file-extension/XDP
The XDP file contains a SWF exploit (CVE-2011-0611) and two files (encrypted with XOR) stored in the PDF file, It also includes functionality to download additional files via HTML-Smuggling by apache host.
The HTML smuggling file is used after uploading it to the apache server to download other files, One of the files is DLL payload the other is a small JAR file which is used to copy and run the DLL, the command line to make payload base64 to then put it in the HTML smuggling file: base64 payload.dll -w 0 and the same command but with jar file.
This jar file used to copy and run the DLL by executing the following command:
cmd /c copy payload.dll %TEMP%\\payload.dll /y & rundll32.exe %TEMP%\\payload.dll,RunDllEntry
It constructs a command to copy a file named payload.dll to the %TEMP% directory (typically the temporary directory) as payload.dll and then execute it using rundll32.exe and it waits for the process to finish using process.waitFor().
The attackers gained access to eWon’s FTP site and replaced the legitimate file with one that is bound with the Havex dropper several times.
The main functionality of this component is to download and load additional DLL modules into the
memory. These are stored on compromised websites that act as C&C servers. In order to do that, the
malware injects itself into the EXPLORER.EXE process, sends a GET/POST request to the PHP script
on the compromised website, then reads the HTML document returned by the script, looking for a
base64 encrypted data between the two “havex” strings in the comment tag <!--havexhavex-->
and writes this data to a %TEMP%<tmp>.xmd file (the filename is generated by GetTempFilename
function).
Full Disclosure of Havex Trojans: https://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans
If you need know more about Havex trojan: https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat
Notes on havex trojan: http://pastebin.com/qCdMwtZ6
In this simulation i used a simple payload with XOR encryption to secure the connection between the C2 Server and the Target Machine, this payload uses Winsock for establishing a tcp connection between the target machine and the attacker machine, in an infinite loop the payload receives commands from the attacker c2 decrypts them using (XOR) encryption executes them using system and then sleeps for 10 seconds before repeating the loop.
This network forensics form (SCADA hacker) about havex trojan: https://scadahacker.com/library/Documents/Cyber_Events/NETRESEC%20-%20SCADA%20Network%20Forensics.pdf
After making compile for the payload and jar file and make base64 for the jar file and DLL payload, i put them in the html smuggling file, then i make host for the html file, then i put this host in the XDP file next to CVE-2011-0611, then i make XOR encryption for XDP file, after this convert xdp to pdf.
i used browserling to make xor encrypt: https://www.browserling.com/tools/xor-encrypt
This PHP C2 server script enable to make remote communication by utilizes XOR encryption for secure data transmission between the attacker server and the target.
xor_encrypt($data, $key) This function takes two parameters: the data to be encrypted ($data) and the encryption key ($key) it iterates over each character in the data and performs an XOR operation between the character and the corresponding character in the key (using modulo to repeat the key if it's shorter than the data), the result is concatenated to form the encrypted output which is returned.
send_to_payload($socket, $data, $encryption_key) This function sends encrypted data to the target system (payload) over a socket connection it first encrypts the data using the xor_encrypt function with the provided encryption key then it writes the encrypted data to the socket using socket_write.
receive_from_payload($socket, $buffer_size, $encryption_key) This function receives encrypted data from the target system over a socket connection it reads data from the socket with a maximum buffer size specified by $buffer_size, the received encrypted data is then decrypted using the xor_encrypt function with the provided encryption key before being returned.
if you chose (command or URL) is encrypted using XOR encryption with a user-defined key before being sent to the target.
This other simulation for the same attack by cobaltstrike: https://www.youtube.com/watch?v=XkBvo6z0Tqo
1.Set up a web server or any HTTP server that can serve text content.
2.Upload a text file containing the commands you want the compromised system to execute.
3.Make sure the text file is accessible via HTTP and note down the URL.
4.When prompted by the script, enter the URL you obtained in step.
NOTE: If you choose to fetch commands from a URL it will prompt you to enter the URL, If you choose to enter commands directly it will prompt you to Enter a command to execute