In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

Published on

Published on

Published on

Apr 16, 2024

Apr 16, 2024

Apr 16, 2024

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
TABLE OF CONTENTS

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.

While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.

In this post, we'll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform. 

A Brief Intro to SuperShell & Locating Panels

SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project's features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.

httpshuntioimagesblogssupershellimg-1-3webp
Figure 1: Snippet of SuperShell README on GitHub

As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.

Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.

httpshuntioimagesblogssupershellimg-2-3webp
Figure 2: Screenshot of just a few SuperShell C2 servers tracked by Hunt

Inside The Open Directory

ps1 & ps2

httpshuntioimagesblogssupershellimg-3-3webp
Figure 3: Screenshot of open directory in Hunt

The above screenshot reveals the contents of the open directory, notably the IOX binary -- the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today's post hones in on three specific entities: the 'ps1', 'ps2', and "test" files.

'ps1' consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).

httpshuntioimagesblogssupershellimg-4-3webp
Figure 4: VirusTotal results and comments for unpacked ELF file

The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks. 

httpshuntioimagesblogssupershellimg-5-3webp
Figure 5: Screenshot of the SuperShell C2 in Hunt

Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.

httpshuntioimagesblogssupershellimg-6-3webp
Figure 6: Screenshot of ARL login

The SuperShell administrative login is hosted at port 8888.

httpshuntioimagesblogssupershellimg-7-3webp
Figure 7: Screenshot of SuperShell login

Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we'll skip analyzing 'ps2'.

For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.

test

The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.

httpshuntioimagesblogssupershellimg-8-3webp
Figure 8: VirusTotal screenshot of Cobalt Strike infrastructure

The beacon connects to 8.219.177[.]40  over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.

Details of the certificate are below:

Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US

httpshuntioimagesblogssupershellimg-9-3webp
Figure 9: Screenshot of Cobalt Strike infrastructure in Hunt

Conclusion

What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.

If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.

Network Indicators

IP AddressProviderIndicator
123.60.58[.]50:8888Huawei Huawei Public Cloud ServiceOpen Directory
124.70.143[.]234:8888Huawei Huawei Public Cloud ServiceSuperShell Panel
8.219.177[.]40:443Huawei Alibaba Cloud (Singapore) Private LimitedCobalt Strike C2

File Indicators

FilenameMD5
ps191757c624776224b71976ec09034e804
ps28e732006bd476ce820c9c4de14412f0d
test770a2166ff4b5ece03a42c756360bd28
iox.exe0095c9d4bc45fed4080e72bd46876efd
winlog2.exe8f2df5c6cec499f65168fae5318dc572
vagent.jar6dcfd2dd537b95a6b9eac5cb1570be27
TABLE OF CONTENTS

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.

While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.

In this post, we'll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform. 

A Brief Intro to SuperShell & Locating Panels

SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project's features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.

httpshuntioimagesblogssupershellimg-1-3webp
Figure 1: Snippet of SuperShell README on GitHub

As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.

Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.

httpshuntioimagesblogssupershellimg-2-3webp
Figure 2: Screenshot of just a few SuperShell C2 servers tracked by Hunt

Inside The Open Directory

ps1 & ps2

httpshuntioimagesblogssupershellimg-3-3webp
Figure 3: Screenshot of open directory in Hunt

The above screenshot reveals the contents of the open directory, notably the IOX binary -- the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today's post hones in on three specific entities: the 'ps1', 'ps2', and "test" files.

'ps1' consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).

httpshuntioimagesblogssupershellimg-4-3webp
Figure 4: VirusTotal results and comments for unpacked ELF file

The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks. 

httpshuntioimagesblogssupershellimg-5-3webp
Figure 5: Screenshot of the SuperShell C2 in Hunt

Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.

httpshuntioimagesblogssupershellimg-6-3webp
Figure 6: Screenshot of ARL login

The SuperShell administrative login is hosted at port 8888.

httpshuntioimagesblogssupershellimg-7-3webp
Figure 7: Screenshot of SuperShell login

Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we'll skip analyzing 'ps2'.

For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.

test

The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.

httpshuntioimagesblogssupershellimg-8-3webp
Figure 8: VirusTotal screenshot of Cobalt Strike infrastructure

The beacon connects to 8.219.177[.]40  over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.

Details of the certificate are below:

Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US

httpshuntioimagesblogssupershellimg-9-3webp
Figure 9: Screenshot of Cobalt Strike infrastructure in Hunt

Conclusion

What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.

If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.

Network Indicators

IP AddressProviderIndicator
123.60.58[.]50:8888Huawei Huawei Public Cloud ServiceOpen Directory
124.70.143[.]234:8888Huawei Huawei Public Cloud ServiceSuperShell Panel
8.219.177[.]40:443Huawei Alibaba Cloud (Singapore) Private LimitedCobalt Strike C2

File Indicators

FilenameMD5
ps191757c624776224b71976ec09034e804
ps28e732006bd476ce820c9c4de14412f0d
test770a2166ff4b5ece03a42c756360bd28
iox.exe0095c9d4bc45fed4080e72bd46876efd
winlog2.exe8f2df5c6cec499f65168fae5318dc572
vagent.jar6dcfd2dd537b95a6b9eac5cb1570be27

Related Posts:

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.