Extracting CrossC2 Configurations

The CrossC2 framework generates obfuscated Cobalt Strike payloads for Unix-like systems. These payloads contain encrypted configurations and potentially Malleable C2 profiles within an appended overlay. The payload itself may be packed with UPX and further obfuscated with techniques like LLVM string encryption. The configurations are encrypted using AES-128 CBC with a hardcoded key and IV.

Subject: Extracting CrossC2 Configurations

Tactics: TA0011 Command and Control, TA0005 Defense Evasion

Technique: T1071 Application Layer Protocol, T1140 Deobfuscate/Decode Files or Information

Procedure:

The CrossC2 framework generates obfuscated Cobalt Strike payloads for Unix-like systems. These payloads contain encrypted configurations and potentially Malleable C2 profiles within an appended overlay. The payload itself may be packed with UPX and further obfuscated with techniques like LLVM string encryption. The configurations are encrypted using AES-128 CBC with a hardcoded key and IV.

Vulnerability: EAV0028 When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment.

Engagement Opportunity:

This case highlights the importance of being able to analyze and deobfuscate files. Develop or leverage tools capable of unpacking, decrypting, and decoding obfuscated malware components. Consider implementing network security monitoring tools to detect and analyze the C2 traffic based on the decrypted Malleable C2 profiles. By understanding the adversary’s C2 infrastructure and communication methods, defenders can identify and block malicious traffic, disrupt attacks, and potentially gain insights into the attacker’s operations.

Threat Actor: Unknown, potentially Chinese-speaking (based on the report’s origin and mention of Qi An Xin)

Threat Objective:

Deploy Cobalt Strike beacons for command and control, likely leading to further post-exploitation activities such as data exfiltration, lateral movement, or privilege escalation.

Deception Opportunity:

Deploy honeypots mimicking Linux systems with deliberately vulnerable configurations to attract and capture CrossC2 payloads. Analyze captured payloads to extract C2 information and Malleable C2 profiles, which can be used to create deceptive C2 infrastructure. This infrastructure could mimic the real C2, feeding false information to the attackers and gathering intelligence on their tools, techniques, and objectives.

Sensor Data Placement: Application

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

  • Sensor Data Placement: Application (for payload analysis), Network (for C2 traffic monitoring)
  • Observable Level:
    • Payload Encryption Key and IV: Core to Adversary-Brought Tool (the specific implementation of CrossC2)
    • C2 Communication based on Malleable C2 Profile: Core to Some Implementations of (Sub-)Technique (as Malleable C2 profiles are customizable)
  • Scoring Rationale: The hardcoded encryption key and IV are specific to this version of the CrossC2 tool, making them reliable indicators as long as the adversary continues to use the same tool. The Malleable C2 profiles, while providing valuable insight into C2 communication, can be customized by the adversary, making them potentially less reliable for long-term detection.

Link to Report: https://rt-solar.ru/solar-4rays/blog/4900/

Link to Report II.:

Additional Comments:

The report highlights the continued use of CrossC2 in the wild, emphasizing the need for defenders to be aware of this framework and its capabilities. The static analysis was hindered by obfuscation, leading to the use of dynamic analysis with tools like API Monitor to uncover the encryption mechanism.

Possible elements: Honeyfile with Canary Token, Log Files Decoy

MSG (Pseudocode): 

# Malicious Sub-Graph Standard

[1]: Defense Evasion - T1140 Deobfuscate/Decode Files or Information - Decrypt appended overlay in payload using AES-128 CBC with hardcoded key and IV (Core to Adversary-Brought Tool)
[2]: Command and Control - T1071 Application Layer Protocol: HTTP - Communicate with C2 server using HTTP according to Malleable C2 profile (Core to Some Implementations of (Sub-)Technique)

1 --> 2 (Lack of Visibility into Encrypted Payloads)


# Pseudocode Standard

function Defense_Evasion_T1140_Deobfuscate_Decode_Files_or_Information(obfuscated_payload):
# Identify and remove any packing (e.g., UPX)
# Locate encrypted configuration data in the payload
# Decrypt the configuration data using AES-128 CBC with the hardcoded key and IV
return decrypted_config, Malleable_C2_profile

function Command_and_Control_T1071_Application_Layer_Protocol(decrypted_config, Malleable_C2_profile):
# Establish connection to C2 server based on decrypted_config
# Use Malleable_C2_profile to shape HTTP traffic for command and control
return C2_communication

Leave a Reply