In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
April 16, 2024
TABLE OF CONTENTS
Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.
While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.
In this post, we’ll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform.
A Brief Intro to SuperShell & Locating Panels
SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project’s features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.
Figure 1: Snippet of SuperShell README on GitHub
As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.
Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.
Figure 2: Screenshot of just a few SuperShell C2 servers tracked by Hunt
Inside The Open Directory
ps1 & ps2
Figure 3: Screenshot of open directory in Hunt
The above screenshot reveals the contents of the open directory, notably the IOX binary – the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today’s post hones in on three specific entities: the ‘ps1’, ‘ps2’, and "test" files.
‘ps1’ consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).
Figure 4: VirusTotal results and comments for unpacked ELF file
The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks.
Figure 5: Screenshot of the SuperShell C2 in Hunt
Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.
Figure 6: Screenshot of ARL login
The SuperShell administrative login is hosted at port 8888.
Figure 7: Screenshot of SuperShell login
Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we’ll skip analyzing ‘ps2’.
For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.
test
The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.
Figure 8: VirusTotal screenshot of Cobalt Strike infrastructure
The beacon connects to 8.219.177[.]40 over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.
Details of the certificate are below:
Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Figure 9: Screenshot of Cobalt Strike infrastructure in Hunt
Conclusion
What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.
If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.
Network Indicators
| IP Address | Provider | Indicator |
|---|---|---|
| 123.60.58[.]50:8888 |  Huawei Public Cloud Service |
Open Directory |
| 124.70.143[.]234:8888 | Huawei Public Cloud Service |
SuperShell Panel |
| 8.219.177[.]40:443 |  Alibaba Cloud (Singapore) Private Limited |
Cobalt Strike C2 |
File Indicators
| Filename | MD5 |
|---|---|
| ps1 | 91757c624776224b71976ec09034e804 |
| ps2 | 8e732006bd476ce820c9c4de14412f0d |
| test | 770a2166ff4b5ece03a42c756360bd28 |
| iox.exe | 0095c9d4bc45fed4080e72bd46876efd |
| winlog2.exe | 8f2df5c6cec499f65168fae5318dc572 |
| vagent.jar | 6dcfd2dd537b95a6b9eac5cb1570be27 |
Ready to get started?
We can help you unravel networks of threat actor infrastructure blending into hosting providers.
Get a Free Demo Today