The case of getlook23: Using GitHub Issues as a C2

This is a brief analysis of a sample I came across on twitter which uses a GitHub issue as a communication channel for the malware. Although the use of free web-services as a C2 channel is not new, the use of a Github issue for a command/response channel was interesting.

Dropper

The initial dropper 8e84a56d5e46c903ece7fbfacd4380fc30933309 is a .NET application with an icon and file properties modified to mask the file as a Cisco patch.

Dropper

Analyzing the file properties reveals some suspicious characteristics of the sample:

  • The patch version is 1.0.0.0
  • The file description only capitalizes Cisco and doesn't say which product the patch is for.
Dropper properties

The file has been obfuscated using the Dotfuscator .NET obfuscation tool with the parameters Dotfuscator("124576:1:1:4.9.6005.29054", 1, true)

Once executed, a form is displayed to the user where it appears to start an update process by animating a progress bar and displaying update details. The title shows the file is masking as a patch for a Cisco VPN Client.

Looking at the code used to populate the status bar and details shows that it is simply looping through an array of static data. Although some care was taken to lead the user into believing their system was being updated, all of the details are hard coded for the 'Administrator' account. The files listed also appear to be related to DirectX and not with a Cisco VPN client.

Dropper Update Data

While the update screen is displaying to the user, the payload is extracted from the the explorer resource and written to the hard-coded path C:\Users\'username'\AppData\explorer.exe. using property Environment.UserName to get the currently running user.

Once the binary is extracted, the sample uses Process.Start to launch the extracted payload, it then 'completes' the update and enables the Finish button, so the user can close the application.

Payload

The payload (e1a2f786bfc0c50e9b7858283748d1f7928310d4) is also a .NET application which masks itself as Windows Explorer. Looking at the file properties shows some care was taken to use what appear to be real values for some of the properties.

As seen in the initial dropper, the payload is also obfuscated using dotfuscator and the string 124576:1:1:4.9.6005.29054

When launched the application uses an 'offscreen' location (-300, -300) to ensure the form is not visible to the user.

Once the file is running it instantiates an instance of the WebBrowser class and sets the visible properties to ensure the component is also hidden from the user. The browser Url is set to https://github.com/login and a custom event handler is created for completed document requests.

After the initialization the browser is set to suppress script errors and navigate to the Github address and a background thread is created to begin execution.

Within the spawned thread, it will again navigate to the login page.
Note: This may be a bug/oversight of the author or it is to ensure that the payload is logged in as the repository user during each request iteration.

Once the login page is passed to the document handler it will login as the user getlook23

The thread will sleep for 30 seconds before iterating through a number of commands:

  • Ensure persistence - Create the value ExplorerConfig in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • Set it to the location of the extracted payload ..\AppData\explorer.exe
  • Navigate to hxxps://github[.]com/getlook23/project1/issues/1

Communication Loop

The process will now loop through and Navigate to the issues URL, passing control to the document completed event handler which was created during initialization.

A high level view of the communication process can be seen below.
High Level View of Communication Loop

Each browser request will trigger the following:

  • Get the value of the META tag twitter:description. This looks to be used as a 'shortcut' to the command which is contained within the first comment on the issue. GitHub will populate the twitter:description meta tag with the value with the first comment.
  • Decrypt the command
  • Check if the request is NO; Do nothing and sleep.
  • Check if the request contains 'download'. If it does download using the URL in the command to ..\AppData\Local\update.exe
    • Return "downloaded" on Success
    • Return "download failed" on Failure
  • Check if the request contains 'run', if it does call Process.Start to execute the passed command.
    • Return "file is running" on Success
    • Return "run fail" on Failure
  • If the request does not contain download or run use cmd.exe to execute the command by creating a ProcessStartInfo object and capturing data sent to standard out.
ProcessStartInfo Initialization Values
  • Check if the command result isn't empty and encrypt the result and insert it as a comment on the issue using the format [Result Text]----[Environment.UserName]

Encryption

The malware uses DES to encrypt the command strings and responses using the hard-coded key and IV value of 3A&-fg.P and the default cipher mode CBC. The encryption and decryption routines are identical with the exception of using CreateEncryptor or CreateDecryptor methods.

A simple python script is below which can be used to quickly decrypt the existing command and response data added to the GitHub issue. The script takes in a base64 encoded string and returns the decrypted result to the console.

from Crypto.Cipher import DES  
import base64  
import sys

#
# decryptor for encrypted content found on hxxps://github[.]com/getlook23/project1/issues/1
#
# Usage: python gl-decrypt.py <base64_string>
#
key = '3A&-fg.P'  
iv = '3A&-fg.P'  
des = DES.new(key, DES.MODE_CBC, iv)  
decrypted = des.decrypt(base64.b64decode(sys.argv[1]))

print 'Decrypted String: %s' % decrypted  
---- 
Example:  
$ python gl-decrypt.py AUd8X6VIYjk=
Decrypted command: whoami

Analyzing the encrypted command within the issue shows it is set to whoami. Decrypting the response data indicates that the command was changed at some point as the first two responses do not match the expected output of the 'whois' command.

1. whoami  
2. "\r\nUser accounts for \\\\JOHN-PC\r\n\r\n-------------------------------------------------------------------------------\r\nAdministrator            Guest                    John                     \r\nThe command completed successfully.\r\n\r\n----John"  
3.  "\r\nUser accounts for \\\\BEA-CHI-T-7PR01\r\n\r\n-------------------------------------------------------------------------------\r\n5upervisor               Administrator            Guest                    \r\nJohn Doe                 \r\nThe command completed successfully.\r\n\r\n----John Doe"  
4.  "john-pc\\administrator\r\n----Administrator"  
5.  "warzone1\\worker\r\n----worker"  
6.  "win7pro-maltest\\buf\r\n----BUF"  
7.  "anna-pc\\anna\r\n----anna"  
8.  "johnson-pc\\johnson\r\n----Johnson"  
9.  "klone-pc\\admin\r\n----admin"  
10. "john-pc\\john\r\n----John"  
11. "admin-win7\admin\r\n----Admin"  
12. "admin-win7\admin\r\n----Admin"  
13. "admin-win7\admin\r\n----Admin"  
14. "warzone1\worker\r\n----worker"  
15. "warzone1\worker\r\n----worker"  
16. "warzone1\worker\r\n----worker"  
17. "od-sploit\od\r\n----od"  
18. "bea-chi-t-7pr01\john doe\r\n----John Doe"  

Additionally looking at the issue shows that the command comment has been previously edited.

Additional Observations/Assumptions

The following are observations and assumptions that cannot be proven by technical analysis of the sample.

  • Analysis of the file properties and messaging that this is likely intended for English speaking users. It was interesting to see that the fonts are set to Times New Roman using Chinese. This may indicate that it was built on a non-English OS.
  • The limited functionality and the ability to easily modify the issued command, indicate this may be a 2nd stage loader used to download additional payloads sophisticated malware.
  • The initial delivery likely included information about a required VPN patch and indicates this was intended for business and not home users.

Conclusions

Overall both the dropper and payload do not include complex functionality or obfuscation/evasion characteristics. The dropper simply tricks the user into believing they are applying and update while extracting the un-obfuscated payload from the Form resources. The payload supports two specific commands (run & download) with all other commands being executed using the Windows Command Interpreter (cmd.exe). Results from commands are encrypted using the hardcoded key and iv and then posted as a new comment to the issue as the repo owner [getlook23].

The simplicity of the sample could indicate that this could be:

  • A test application
  • A tool used as part of a penetration test.
  • Part of a multi-stage loader which previously downloaded and executed additional malware.

Unfortunately, due to limited samples and other information for analysis this remains unknown.

IOCs

Although this is appears to have low distribution, the following primary indicators are added for completeness.

  • Software\Microsoft\Windows\CurrentVersion\Run
    • ExplorerConfig --> %localappdata%\explorer.exe
  • %localappdata%\update.exe
  • hxxps://github[.]com/getlook23/project1/issues/1
  • 8e84a56d5e46c903ece7fbfacd4380fc30933309
  • e1a2f786bfc0c50e9b7858283748d1f7928310d4

Additional Resources

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSIL-HYT/detailed-analysis.aspx