Skip to content

Instantly share code, notes, and snippets.

@Atavic Atavic/Athena.txt
Last active Jun 4, 2017

What would you like to do?
Athena Hera beaconing systems target the Microsoft operating system from Windows XP to Windows 10
[WIKILEAKS] CIA Athena Hera systems provides remote beacon, loader capability on targets running the Microsoft operating system
from Windows XP to Windows 10.
• OpenSSL v1.1 or later (AES 256)
• Windows Crypto API (BCRIPT)
System designed to allow a base installation (Athena) and an extended installation (Hera).
Summary of Capabilities:
• Executes on the Windows XP (SP3)/7/8.1/2008/2012/10 (x86/x64) operating systems.
• Provides a beaconing capability that provides configuration and task handling
• Provides memory loading/unloading of NOD Persistence Specification DLLs on the target system
• Provides delivery and retrieval of files to/from a specified directory on the target system
• Allows the operator to configure settings during runtime (while the implant is on target)
Athena is the primary implementation for use on WinXP through Win10 operating systems. This implementation uses the RemoteAccess
service for persistence, ZLIB for compression and XTEA for encryption on disk.
Hera is a secondary implementation for Windows 8 through Windows 10. The output receipt file will contain a special key
<BRAVO>1</BRAVO> in the XML file. This implementation uses the Dnscache service for persistence, BZIP2 for compression and AES
256 for encryption on disk.
Differences between Athena/Hera Versions are to be found into Athena-v1_0-UserGuide.
Boot Persistence method uses the flaw that services load a support dll during runtime based on the values stored in the
registry without necessarily validating the dll that it is calling. One requirement is that the DNS service must be set to
automatic startup type. Athena dll will be running as SYSTEM/Network Service with full access to outbound IP ports without
changing Microsoft firewall settings. No changes are required to the services settings (SCM). Just one change in the
DNS parameters registry key and two dll files stored to disk.
Hijack DNS srvhost:
%SystemRoot%\system32\svchost.exe -k netsvcs
netsvcs – insert dnscache
Target: %SystemRoot%\System32\Microsoft\Crypto\DNS\dnsclext.dll
Data: %SystemRoot%\System32\codeintegrity\dns.cache
Legacy srvhost: (if extension does not exist)
%SystemRoot%\system32\svchost.exe -k netsvcs
Target: %SystemRoot%\System32\ShellExt\dnsapi.dll
Main: %SystemRoot%\System32\ShellExt\dnsrslvr.dll (copy original)
Data: %SystemRoot%\System32\codeintegrity\dns.cache
The path can be anywhere but system32, the service will load the target code and the target code will load the original dll
using the full path to system32. The dnsext.dll module can be dynamically unloaded at startup time because nothing references it.
The instance of SVCHost that hosts the DnsCache service also contains the following services as of Windows 8.1 - CryptSvc,
Dnscache, LanmanWorkstation, NlaSvc, TermService. These services listen to the ports 3389 (RDP) and 5355 (LLMNR). When the host
DLL is loaded in the process and attempts to perform communication with C&C server, port 443 (SSL) would show up in ESTABLISHED
state. It has been observed and confirmed that this anomaly is not flagged by PSPs.
The size of the host DLL binary must be less than 280KB which should include the DLL shell, execution dispatcher, loader,
engine, C&C client, beacon, command processor and uninstaller. The host DLL is allowed to make any calls it required to Win32
APIs and NTDLL native without any restrictions.
Data Persistence module has code blocks and configuration data:
DynConfig – dynamic data at the end of this file or in registry.
DATA LOCATION: c:\windows\system32\codeintegrity\dns.cache (masked/encrypted binary file)
DLL host based installer performs the following steps:
Place the host DLL in c:\windows\system32\Microsoft\Crypto\DNS directory.
Place the host data file in c:\windows\system32\codeintegrity.
Replace the DLL path in the DnsCache service's registry entry to point to the host DLL.
Restart the DNSCache service.
Command Shell (example):
Management Features
receipt script output list delete id
Command Features
execute get put memload memunload set uninstall
Exit Commands
bye exit
User Interface Example: Tasker Main Menu (Athena)
Management Features
receipt generate ls rm import id help
Command Features
execute get put memload memunload set delete uninstall
Exit Commands:
bye exit
Welcome to the Tasker shell. Type help or ? to list commands.
Command Line Options:
>python.exe -h
usage: [-h] [-r RECEIPT] [-s SCRIPT] [-g GENERATE] [-p PRIORITY]
[-x] [-e] [--id ID] [--debug]
Tasker Configuration optional arguments:
-h, --help show this help message and exit
-r RECEIPT, --receipt This argument defines an existing receipt filename to be used for processing.
-i SCRIPT, --import This argument provides the ability to import a script for processing.
-g GENERATE, --generate This argument provides the output path location.
-p PRIORITY, --priority This argument provides ability to set the priority/ordering (0..255) NOTE: 128->default
and 0->highest.
-x, --persist This argument provides ability to set the batch as a persistent batch.
-e, --stoponerror This argument provides ability to stop the batch on a command execution error.
--id ID This argument provides the ability to force a specific initial task ID for a tasking session (usually just used for
debugging purposes - number is decoded as hex).
--debug This argument allows debugging information to be included in the output directory.
Usage: [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m]
Parser Configuration optional arguments:
-h, show this help message and exit
-r RECEIPT, --receipt This argument defines an existing receipt filename or directory of receipts to be used for processing.
-i INPUT, --input This argument provides the ability to import a file or directory of files.
-d, --debug Enable decoding of unencrypted files from target.
-o OUTPUT, --output This argument provides the output path location.
-m, --nomark This argument provides the ability to reuse a processed directory. By default, the parsing code will mark processed
files with a date prefix as 20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19}
The host DLL bypasses PSP as Kaspersky Total Security (kts16.0.0.614en_8244.exe) or Kaspersky
Internet Security (kis16.0.0.614en_8232.exe) configured with default settings.
CIA Issues & Concerns
The host DLL is not signed. Due to copyright issues the host DLL will not have a publisher name which may cause the DLL to
stand out in both SysInternals SigCheck as well as AutoRuns tool.
Sysinternals AutoRuns signature verification
AutoRuns by Sysinternals provides Services tab to display the list of all services that are registered on the system. These
services include executable services and DLL based services hosted by SvcHost.exe
AutoRuns's default setting is to "Hide Windows Entries" which causes AutoRuns to list only third party services, including ones
from Microsoft that not a part of the Windows OS. If the user/analyst were to enable the "Verify Code Signatures" and at
the same time uncheck "Hide Windows Entries" the host DLL (dnsclnt.dll) will be flagged as '(Not Verified)'. This feature of
AutoRuns is the cause of selecting the DnsExt.dll instead of DnsRslvr.dll as the persistence mechanism.
SysIntenals SigCheck
The Sysinternals tool SigCheck performs executable signature verification including validating the code signing certificate
chain of trust. This tools is capable of recursively scanning contents of a directory and listing those files that are unsigned.
The command line "sigcheck -e -s -u c:\windows\system32" will recursively scan all the directories under Windows\System32 and
list only the unsigned DLLs, exposing Athena's DnsExt.dll
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.