Building an Empire one PowerShell Exploit at a Time
In the last two years, PowerShell use in malware has sharply risen. A lot of penetration tools and frameworks such as PowerSploit, Empire, Nishang, PS>Attack offer the ability to generate PowerShell payloads. Empire is an open source PowerShell post-exploitation agent built on cryptographically secure communications and a flexible architecture. Empire was used for the second stage of the Olympic Destroyer attack this year. Olympic Destroyer is an APT attack that target organizers, suppliers, and partners of the Winter Olympic Games 2018 in Pyeongchang, South Korea.
Empire implements the ability to run PowerShell agents without needing powershell.exe in Windows or Python 2.6/2.7 on Linux. Researchers have found many Empire listeners in the wild using Shodan. Empire includes many exploit modules for reconnaissance, lateral movement, persistence, data collection, and privilege escalation. The Application and Threat Intelligence (ATI) research team has analyzed the Empire framework and will deliver strikes that simulate Empire’s behavior.
There are many ways to identify PowerShell Empire command and control (C&C) activity such as identifying its HTTP requests and the backdoors it creates. The ATI team recently captured PowerShell launcher malware that are generated by Empire in the wild. After decoding the obfuscated script, we get the script shown in Figure 1. This launcher uses HTTP protocol to communicate with the C&C server.
The Empire listener is a C&C server that handles communications with agents. There are 9 listeners in Empire Version 2.5. For example, the HTTP listener will start an HTTP(S) listener that uses a GET/POST method. http_com listener will start an HTTP(S) listener that uses a GET/POST method using a hidden Internet Explorer COM object.
Empire implements many different types of stagers. These stagers include DLLs, macros, hta, and vbs as shown in Figure 3. For more details about Empire stager, please check this.
The launcher can create a python and powershell stager that is base64 encoded (Figure 3). The stager can connect to the listener and create an agent, shown in Figure 4.
In figure 6, we can see the decoded base64 encoded python script from figure 4.
Empire has an option to generate a Macroless Microsoft Office word document that can download and run a malicious powershell script from the server and set up the connection. The word document uses the autoDDE feature to execute the macro. Windows provides several methods for transferring data between applications. One method is to use the dynamic data exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.
To generate the Macroless document, use the following command:
Options Listener and OuputPath are required. Once both empire.docx and default.ps1 is generated in /tmp/ folder, hackers can send empire.docx to the target and use phishing to encourage the victim to open the document. Once the victim opens this malicious word document, it will download a PowerShell script from the server and execute it to get connection.
Once attackers get the connection either by the stager or Macroless office document, Empire provides several modules to keep the persistence. One of them is by using registry.
After setting Listener and RegPath, Empire can write a new registry record.
The registry value is base64 encoded, once we decode the script, it looks like this:
The script in this registry value will persist a stager (or script) via the HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to configure elevated persistence options for the Add-Persistence function.
Here at the ATI Research Center, we analyzed and reverse-engineered the Empire post-exploration framework, and are also working on strikes development that relate to Empire.
C&C server: http://213.215.18[.]19
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
The Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.