In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

April 16, 2024

https://hunt.io/images/blogs/supershell_lg.webp

TABLE OF CONTENTS

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.

While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.

In this post, we’ll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform. 

A Brief Intro to SuperShell & Locating Panels

SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project’s features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.

httpshuntioimagesblogssupershellimg-1-3webp

Figure 1: Snippet of SuperShell README on GitHub

As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.

Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.

httpshuntioimagesblogssupershellimg-2-3webp

Figure 2: Screenshot of just a few SuperShell C2 servers tracked by Hunt

Inside The Open Directory

ps1 & ps2

httpshuntioimagesblogssupershellimg-3-3webp

Figure 3: Screenshot of open directory in Hunt

The above screenshot reveals the contents of the open directory, notably the IOX binary – the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today’s post hones in on three specific entities: the ‘ps1’, ‘ps2’, and "test" files.

‘ps1’ consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).

httpshuntioimagesblogssupershellimg-4-3webp

Figure 4: VirusTotal results and comments for unpacked ELF file

The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks. 

httpshuntioimagesblogssupershellimg-5-3webp

Figure 5: Screenshot of the SuperShell C2 in Hunt

Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.

httpshuntioimagesblogssupershellimg-6-3webp

Figure 6: Screenshot of ARL login

The SuperShell administrative login is hosted at port 8888.

httpshuntioimagesblogssupershellimg-7-3webp

Figure 7: Screenshot of SuperShell login

Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we’ll skip analyzing ‘ps2’.

For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.

test

The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.

httpshuntioimagesblogssupershellimg-8-3webp

Figure 8: VirusTotal screenshot of Cobalt Strike infrastructure

The beacon connects to 8.219.177[.]40  over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.

Details of the certificate are below:

Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US

httpshuntioimagesblogssupershellimg-9-3webp

Figure 9: Screenshot of Cobalt Strike infrastructure in Hunt

Conclusion

What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.

If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.

Network Indicators

IP Address Provider Indicator
123.60.58[.]50:8888 Huawei Huawei Public Cloud Service Open Directory
124.70.143[.]234:8888 Huawei Huawei Public Cloud Service SuperShell Panel
8.219.177[.]40:443 Huawei Alibaba Cloud (Singapore) Private Limited Cobalt Strike C2

File Indicators

Filename MD5
ps1 91757c624776224b71976ec09034e804
ps2 8e732006bd476ce820c9c4de14412f0d
test 770a2166ff4b5ece03a42c756360bd28
iox.exe 0095c9d4bc45fed4080e72bd46876efd
winlog2.exe 8f2df5c6cec499f65168fae5318dc572
vagent.jar 6dcfd2dd537b95a6b9eac5cb1570be27

Ready to get started?

We can help you unravel networks of threat actor infrastructure blending into hosting providers.