HackerSecret.com - The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

  • Home
  • Visit Our Shop
  • Download the free App
  • Contact us for Info
VISIT OUR SHOP! CLICK HERE !

Decrypting L0rdix RAT’s C2

by / Monday, 02 September 2019 / Published in Hacking
Share
Tweet
Pin
0 Shares

In my previous blog post on L0rdix RAT, I took a look at its panel and builder components that have been circulating through underground forums recently. As part of that analysis, I identified a key (“3sc3RLrpd17”) which was embedded in one of the PHP pages in L0rdix’s panel. A SHA-256 hash is calculated of this key, which is used as the AES key to encrypt and decrypt L0rdix’s command and control (C2) communications. When a sample is generated using L0rdix’s builder, the operator is able to decide this key.

In this post, I examine L0rdix’s C2 encryption and decryption functions in more detail and discuss how to automate the task of identifying, decrypting and extracting L0rdix C2 traffic from a PCAP using Python.

L0rdix’s configuration structure

L0rdix’s configuration contains 10 fields, which are encrypted and sent as URL query strings in a HTTP POST request to the connect.php page of the panel. The configuration settings of deployed bots are updated by sending similar POST requests to the bots from the panel.

Query String Configuration Field
h= Hardware ID
o= Operating system
c= CPU
g= GPU
w= Installed antivirus
p= Privileges of current user
r= Hash rate
f= L0rdix profile in use
rm= RAM
d= Drives

 

L0rdix C2 encryption and decryption steps

L0rdix encrypts its C2 communications using the following steps:

  1. Encrypts the plaintext using AES in Cipher Block Chaining (CBC) mode with a 256-bit key and 16-byte initialisation vector (IV).
  2. Base64 encodes the ciphertext.
  3. Replaces plus (+) characters with tildes (~).
  4. URL encodes the ciphertext.

Figure 1 – L0rdix RAT’s C# encryption function.

For example, the ciphertext of “Windows 7 Enterprise” looks like this:

  • buNpZksa9PSEshjHiM9XNI84ku2X6Zy2Syr7zdzvxMM%3d

We can decrypt the ciphertext by performing the encryption actions in reverse:

  • buNpZksa9PSEshjHiM9XNI84ku2X6Zy2Syr7zdzvxMM= (After URL decoding)
  • 6ee369664b1af4f484b218c788cf57348f3892ed97e99cb64b2afbcddcefc4c3 (Hex representation after Base64 decoding)
  • Windows 7 Enterprise (After AES decryption)

Default key or single operator

After analysing more L0rdix samples in the wild, it became clear that many of them use the key found in the leaked panel to encrypt their C2 channels. There are two realistic possibilities for the re-occurrence of this key:

  1. “3sc3RLrpd17” is the default key that the RAT panel is supplied with from its author and several buyers have not changed it.
  2. The L0rdix samples that use this key are bots controlled by a single operator. Based on the implementation of the encryption and decryption functions, each L0rdix panel operator must use the same key for every bot they control.

There is stronger evidence to indicate that the first possibility is true. For instance, the key is referenced in a coding tutorial on how to encrypt and decrypt data using AES in C# and PHP. L0rdix’s server side encryption and decryption functions closely resemble those in the tutorial, sharing the method (AES-CBC 256), IV (16 null bytes), key (“3sc3RLrpd17”) and programming languages used (C# and PHP). L0rdix’s author may have copied the tutorial’s encryption implementation and decided not to change the key.

Figure 2 – L0rdix panel’s PHP decryption function, including the suspected default operator key.

Figure 3 – Coding tutorial on AES-256 encryption and decryption in PHP.

Automating L0rdix C2 decryption with decrypt_l0rdix_c2.py

Since L0rdix uses symmetric key encryption it was possible to write a Python script (decrypt_l0rdix_c2.py) to parse a PCAP containing L0rdix C2 traffic and decrypt it. The script first identifies L0rdix traffic based on its expected structure by parsing a PCAP using the Pyshark library. For example, since L0rdix has 10 fields in its configuration, there should be at least 10 query strings in a L0rdix C2 URL. The query strings are identified and decoded into a ciphertext before being run through an AES decryption function using the Pycryptodome library.

The script also extracts screenshots that L0rdix RAT periodically takes of infected systems. The traffic is decrypted using the suspected default operator key (“3sc3RLrpd17”), or a user supplied key using the optional -k argument. You can extract the operator key from a L0rdix bot using static analysis. If a L0rdix operator has not changed the operator key from the default one, any captured C2 traffic between their bots and the admin panel can be decrypted using decrypt_l0rdix_c2.py. The script is available to download from GitHub.

Figures 4 and 5 show the output from running the script against L0rdix C2 traffic:

  • decrypt_l0rdix_c2.py -p l0rdix_c2.pcap

Figure 4 – Output from decrypt_l0rdix_c2.py showing identified L0rdix traffic.

Figure 5 – Output from decrypt_l0rdix_c2.py showing extracted screenshots and decrypted traffic. You can see the decrypted values of L0rdix’s configuration.

The post Decrypting L0rdix RAT’s C2 appeared first on Bromium.

Bromium

Share
Tweet
Pin
0 Shares
Tagged under: Decrypting

Click here now to visit our Shop!

Click here now to visit our Shop!

Other 2300 users like you have already done it this year!

Choose the product you need here!

  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING WITHOUT ROOT UNIQUE IN THE WORLD WITH ALL THE APPS !!! 499,99€ 249,99€
  • HACKER LIBRARY THE LARGEST COLLECTION OF BOOKS AND MANUALS ON HACKING + 100 !!! 99,99€ 49,99€
  • HACK SOCIAL THE GUIDE TO HACK ALL THE SOCIAL ACCOUNTS 99,99€ 49,99€
  • HACKER PACK FOR YOUR SMARTPHONE AND YOUR TABLET WITH ROOT GUIDE AND + 100 PROGRAMS !!! 99,99€ 49,99€
  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING UNIQUE IN THE WORLD WITH ALL THE APPS !!! 599,99€ 299,99€
  • HACKER PACK FOR YOUR COMPUTER AND NOTEBOOK + 1000 PROGRAMS 5 GB OF STUFF !!! 99,99€ 49,99€

Our customers say

Annabel M. – Systems Engineer

 
Samuel D. – Ethical Hacker

 
Karola M. – Influencer

 
Marcus P. – Private Investigator

 
Rosemary S. – Housewife

 
Amit V. – IT Consultant

 
Matthew C. – Entrepreneur

 
Aisha B. – Computer Science student

 
Li W. – IT Analyst

 
Robert C. – Programmer

 

Click here to contact us with Whatsapp

Click here to contact us with Whatsapp

Click here to contact us with Telegram

Click here to contact us with Telegram

DOWNLOADED 1316 TIMES!

DOWNLOADED 1316 TIMES!

Download now Hacker Secret our free Android app.

CONTACT US NOW FOR IMMEDIATE SUPPORT!

Contact Us
Write your email address here
Write here how we can help you - we support you immediately for all your needs!

## Are you looking for products for hacking, computer security and penetration testing? Do you need to clean up your smartphone, your PC or your site from viruses and malware? Do you need to track down someone or retrieve urgent information? Do you want to buy devices already configured to experiment all the hacking techniques quickly and easily? Do you have special needs in software or hardware? ##

Contact us now … another 2300 users like you have already done it this year!

Click here now!

 

Search on the site

Latest posts

  • How to tell if someone is stealing your wifi

  • How to check saved passwords on Chrome

  • The Computer Security Day

  • What is digital forensics

  • How to install Metasploit in Termux?

All the techniques, products and services described or contained on this site are intendend for exclusive use of study and professional training and to test the security of own's computer network in accordance with the national legislations on access to computer and online systems. All the services provided on this site (penetration testing, social accounts hardening, Incident Response & CSIRT, MSSP, Cybersecurity Consultancy, etc.) can be provided only with prior written and documented authorization from the owners or their legitimate representatives in accordance with current national regulations .

TOP
New Order