In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
Published on
Published on
Published on
Apr 16, 2024
Apr 16, 2024
Apr 16, 2024
Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.
While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.
In this post, we'll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform.
A Brief Intro to SuperShell & Locating Panels
SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project's features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.
As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.
Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.
Inside The Open Directory
ps1 & ps2
The above screenshot reveals the contents of the open directory, notably the IOX binary -- the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today's post hones in on three specific entities: the 'ps1', 'ps2', and "test" files.
'ps1' consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).
The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks.
Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.
The SuperShell administrative login is hosted at port 8888.
Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we'll skip analyzing 'ps2'.
For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.
test
The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.
The beacon connects to 8.219.177[.]40 over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.
Details of the certificate are below:
Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Conclusion
What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.
If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.
Network Indicators
| IP Address | Provider | Indicator |
|---|---|---|
| 123.60.58[.]50:8888 |  Huawei Public Cloud Service | Open Directory |
| 124.70.143[.]234:8888 | Huawei Public Cloud Service | SuperShell Panel |
| 8.219.177[.]40:443 |  Alibaba Cloud (Singapore) Private Limited | Cobalt Strike C2 |
File Indicators
| Filename | MD5 |
|---|---|
| ps1 | 91757c624776224b71976ec09034e804 |
| ps2 | 8e732006bd476ce820c9c4de14412f0d |
| test | 770a2166ff4b5ece03a42c756360bd28 |
| iox.exe | 0095c9d4bc45fed4080e72bd46876efd |
| winlog2.exe | 8f2df5c6cec499f65168fae5318dc572 |
| vagent.jar | 6dcfd2dd537b95a6b9eac5cb1570be27 |
Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.
While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.
In this post, we'll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform.
A Brief Intro to SuperShell & Locating Panels
SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project's features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.
As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.
Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.
Inside The Open Directory
ps1 & ps2
The above screenshot reveals the contents of the open directory, notably the IOX binary -- the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today's post hones in on three specific entities: the 'ps1', 'ps2', and "test" files.
'ps1' consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).
The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks.
Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.
The SuperShell administrative login is hosted at port 8888.
Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we'll skip analyzing 'ps2'.
For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.
test
The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.
The beacon connects to 8.219.177[.]40 over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.
Details of the certificate are below:
Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Conclusion
What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.
If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.
Network Indicators
| IP Address | Provider | Indicator |
|---|---|---|
| 123.60.58[.]50:8888 | Huawei Public Cloud Service | Open Directory |
| 124.70.143[.]234:8888 | Huawei Public Cloud Service | SuperShell Panel |
| 8.219.177[.]40:443 | Alibaba Cloud (Singapore) Private Limited | Cobalt Strike C2 |
File Indicators
| Filename | MD5 |
|---|---|
| ps1 | 91757c624776224b71976ec09034e804 |
| ps2 | 8e732006bd476ce820c9c4de14412f0d |
| test | 770a2166ff4b5ece03a42c756360bd28 |
| iox.exe | 0095c9d4bc45fed4080e72bd46876efd |
| winlog2.exe | 8f2df5c6cec499f65168fae5318dc572 |
| vagent.jar | 6dcfd2dd537b95a6b9eac5cb1570be27 |
Related Posts:
Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.
Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.