Last active
June 4, 2017 11:27
-
-
Save Atavic/a0776d0b64b04fcf429516c59a0aa54b to your computer and use it in GitHub Desktop.
Athena Hera beaconing systems target the Microsoft operating system from Windows XP to Windows 10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[WIKILEAKS] CIA Athena Hera systems provides remote beacon, loader capability on targets running the Microsoft operating system | |
from Windows XP to Windows 10. | |
REQUIREMENTS | |
• OpenSSL v1.1 or later (AES 256) | |
• Windows Crypto API (BCRIPT) | |
System designed to allow a base installation (Athena) and an extended installation (Hera). | |
Summary of Capabilities: | |
• Executes on the Windows XP (SP3)/7/8.1/2008/2012/10 (x86/x64) operating systems. | |
• Provides a beaconing capability that provides configuration and task handling | |
• Provides memory loading/unloading of NOD Persistence Specification DLLs on the target system | |
• Provides delivery and retrieval of files to/from a specified directory on the target system | |
• Allows the operator to configure settings during runtime (while the implant is on target) | |
Athena is the primary implementation for use on WinXP through Win10 operating systems. This implementation uses the RemoteAccess | |
service for persistence, ZLIB for compression and XTEA for encryption on disk. | |
Hera is a secondary implementation for Windows 8 through Windows 10. The output receipt file will contain a special key | |
<BRAVO>1</BRAVO> in the XML file. This implementation uses the Dnscache service for persistence, BZIP2 for compression and AES | |
256 for encryption on disk. | |
Differences between Athena/Hera Versions are to be found into Athena-v1_0-UserGuide. | |
Boot Persistence method uses the flaw that services load a support dll during runtime based on the values stored in the | |
registry without necessarily validating the dll that it is calling. One requirement is that the DNS service must be set to | |
automatic startup type. Athena dll will be running as SYSTEM/Network Service with full access to outbound IP ports without | |
changing Microsoft firewall settings. No changes are required to the services settings (SCM). Just one change in the | |
DNS parameters registry key and two dll files stored to disk. | |
Hijack DNS srvhost: | |
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\extension | |
%SystemRoot%\System32\Microsoft\Crypto\DNS\dnsclext.dll | |
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ImagePath | |
%SystemRoot%\system32\svchost.exe -k netsvcs | |
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ObjectName | |
LocalSystem | |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ | |
CurrentVersion\Svchost | |
netsvcs – insert dnscache | |
Target: %SystemRoot%\System32\Microsoft\Crypto\DNS\dnsclext.dll | |
Data: %SystemRoot%\System32\codeintegrity\dns.cache | |
Legacy srvhost: (if extension does not exist) | |
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\ServiceDll | |
%SystemRoot%\System32\ShellExt\dnsrslvr.dll | |
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ImagePath | |
%SystemRoot%\system32\svchost.exe -k netsvcs | |
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ObjectName | |
LocalSystem | |
Target: %SystemRoot%\System32\ShellExt\dnsapi.dll | |
Main: %SystemRoot%\System32\ShellExt\dnsrslvr.dll (copy original) | |
Data: %SystemRoot%\System32\codeintegrity\dns.cache | |
The path can be anywhere but system32, the service will load the target code and the target code will load the original dll | |
using the full path to system32. The dnsext.dll module can be dynamically unloaded at startup time because nothing references it. | |
The instance of SVCHost that hosts the DnsCache service also contains the following services as of Windows 8.1 - CryptSvc, | |
Dnscache, LanmanWorkstation, NlaSvc, TermService. These services listen to the ports 3389 (RDP) and 5355 (LLMNR). When the host | |
DLL is loaded in the process and attempts to perform communication with C&C server, port 443 (SSL) would show up in ESTABLISHED | |
state. It has been observed and confirmed that this anomaly is not flagged by PSPs. | |
The size of the host DLL binary must be less than 280KB which should include the DLL shell, execution dispatcher, loader, | |
engine, C&C client, beacon, command processor and uninstaller. The host DLL is allowed to make any calls it required to Win32 | |
APIs and NTDLL native without any restrictions. | |
Data Persistence module has code blocks and configuration data: | |
Config | |
Engine | |
Command | |
Uninstall | |
DynConfig – dynamic data at the end of this file or in registry. | |
DATA LOCATION: c:\windows\system32\codeintegrity\dns.cache (masked/encrypted binary file) | |
DLL host based installer performs the following steps: | |
Place the host DLL in c:\windows\system32\Microsoft\Crypto\DNS directory. | |
Place the host data file in c:\windows\system32\codeintegrity. | |
Replace the DLL path in the DnsCache service's registry entry to point to the host DLL. | |
Restart the DNSCache service. | |
Command Shell (example): | |
Management Features | |
======================================== | |
receipt script output list delete id | |
Command Features | |
======================================== | |
execute get put memload memunload set uninstall | |
Exit Commands | |
============== | |
bye exit | |
User Interface Example: Tasker Main Menu (Athena) | |
>python.exe tasker.py | |
Management Features | |
============================================================ | |
receipt generate ls rm import id help | |
Command Features | |
============================================================ | |
execute get put memload memunload set delete uninstall | |
Exit Commands: | |
============================================================ | |
bye exit | |
Welcome to the Tasker shell. Type help or ? to list commands. | |
Command Line Options: | |
>python.exe tasker.py -h | |
usage: tasker.py [-h] [-r RECEIPT] [-s SCRIPT] [-g GENERATE] [-p PRIORITY] | |
[-x] [-e] [--id ID] [--debug] | |
Tasker Configuration optional arguments: | |
-h, --help show this help message and exit | |
-r RECEIPT, --receipt This argument defines an existing receipt filename to be used for processing. | |
-i SCRIPT, --import This argument provides the ability to import a script for processing. | |
-g GENERATE, --generate This argument provides the output path location. | |
-p PRIORITY, --priority This argument provides ability to set the priority/ordering (0..255) NOTE: 128->default | |
and 0->highest. | |
-x, --persist This argument provides ability to set the batch as a persistent batch. | |
-e, --stoponerror This argument provides ability to stop the batch on a command execution error. | |
--id ID This argument provides the ability to force a specific initial task ID for a tasking session (usually just used for | |
debugging purposes - number is decoded as hex). | |
--debug This argument allows debugging information to be included in the output directory. | |
PARSER TOOL | |
Usage: parser.py [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m] | |
Parser Configuration optional arguments: | |
-h, show this help message and exit | |
-r RECEIPT, --receipt This argument defines an existing receipt filename or directory of receipts to be used for processing. | |
-i INPUT, --input This argument provides the ability to import a file or directory of files. | |
-d, --debug Enable decoding of unencrypted files from target. | |
-o OUTPUT, --output This argument provides the output path location. | |
-m, --nomark This argument provides the ability to reuse a processed directory. By default, the parsing code will mark processed | |
files with a date prefix as 20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19} | |
The host DLL bypasses PSP as Kaspersky Total Security (kts16.0.0.614en_8244.exe) or Kaspersky | |
Internet Security (kis16.0.0.614en_8232.exe) configured with default settings. | |
CIA Issues & Concerns | |
The host DLL is not signed. Due to copyright issues the host DLL will not have a publisher name which may cause the DLL to | |
stand out in both SysInternals SigCheck as well as AutoRuns tool. | |
Sysinternals AutoRuns signature verification | |
AutoRuns by Sysinternals provides Services tab to display the list of all services that are registered on the system. These | |
services include executable services and DLL based services hosted by SvcHost.exe | |
AutoRuns's default setting is to "Hide Windows Entries" which causes AutoRuns to list only third party services, including ones | |
from Microsoft that not a part of the Windows OS. If the user/analyst were to enable the "Verify Code Signatures" and at | |
the same time uncheck "Hide Windows Entries" the host DLL (dnsclnt.dll) will be flagged as '(Not Verified)'. This feature of | |
AutoRuns is the cause of selecting the DnsExt.dll instead of DnsRslvr.dll as the persistence mechanism. | |
SysIntenals SigCheck | |
The Sysinternals tool SigCheck performs executable signature verification including validating the code signing certificate | |
chain of trust. This tools is capable of recursively scanning contents of a directory and listing those files that are unsigned. | |
The command line "sigcheck -e -s -u c:\windows\system32" will recursively scan all the directories under Windows\System32 and | |
list only the unsigned DLLs, exposing Athena's DnsExt.dll |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment