Xdr33, A Variant Of CIA’s HIVE Attack Kit

Overview

On Oct 21, 2022, 360Netlab's honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention. After further lookup, we confirmed that this sample was adapted from the leaked Hive project server source code from CIA. This is the first time we caught a variant of the CIA HIVE attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33.

To summarize, xdr33 is a backdoor born from the CIA Hive project, its main purpose is to collect sensitive information and provide a foothold for subsequent intrusions. In terms of network communication, xdr33 uses XTEA or AES algorithm to encrypt the original traffic, and uses SSL with Client-Certificate Authentication mode enabled to further protect the traffic; in terms of function, there are two main tasks: beacon and trigger, of which beacon is periodically report sensitive information about the device to the hard-coded Beacon C2 and execute the commands issued by it, while the trigger is to monitor the NIC traffic to identify specific messages that conceal the Trigger C2, and when such messages are received, it establishes communication with the Trigger C2 and waits for the execution of the commands issued by it.

The functional schematic is shown below.

Hive uses the BEACON_HEADER_VERSION macro to define the specified version, which has a value of 29 on the Master branch of the source code and a value of 34 in xdr33, so perhaps xdr33 has had several rounds of iterative updates already. Comparing with the HIV source code, xdr33 has been updated in the following 5 areas:

• New CC instructions have been added
• Wrapping or expanding functions
• Structs have been reordered and extended
• Trigger message format
• Addition of CC operations to the Beacon task

These modifications to xdr33 are not very sophisticated in terms of implementation, and coupled with the fact that the vulnerability used in this spread is N-day, we tend to rule out the possibility that the CIA continued to improve on the leaked source code and consider it to be the result of a cyber attack group borrowing the leaked source code.

Vulnerability Delivery Payload

The md5 of the Payload we captured is ad40060753bc3a1d6f380a5054c1403a, and its contents are shown below.

The code is simple and straightforward, and its main purpose is to

• Download the next stage of the sample and disguise it as /command/bin/hlogd.
• Install logd service for persistence.

Sample analysis

We captured only one sample of xdr33 for the X86 architecture, and its basic information is shown below.

MD5:ee07a74d12c0bb3594965b51d0e45b6f
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Packer: None

Simply put, when xdr33 runs in the compromised device, it first decrypts all the configuration information, then checks if it has root/admin permissions, if not, it prints “Insufficient permissions. try again... “and exit; otherwise initialize various runtime parameters, such as C2, PORT, runtime interval, etc. Finally, the two functions beacon_start and TriggerListen are used to open the two tasks of Beacon and Trigger.

The following article mainly analyzes the implementation of Beacon and Trigger from the perspective of binary inversion; at the same time, we also compare and analyze the source code to see what changes have occurred.

Decrypting configuration information

xdr33 decodes the configuration information by the following code snippet decode_str, its logic is very simple, i.e., byte-by-byte inverse.

In IDA you can see that decode_str has a lot of cross-references, 152 in total. To assist in the analysis, we implemented the IDAPython script Decode_RES in the appendix to decrypt the configuration information.

The decryption results are shown below, including Beacon C2 45.9.150.144, runtime prompt messages, commands to view device information, etc.

Beacon Task

The main function of Beacon is to periodically collect PID, MAC, SystemUpTime, process and network related device information; then use bzip, XTEA algorithm to compress and encrypt the device information, and report to C2; finally wait for the execution of the commands issued by C2.

0x01: Information Collection

• MAC

Query MAC by SIOCGIFCON or SIOCGIFHWADDR


• SystemUpTime

Collects system up time via /proc/uptime


• Process and network-related information

Collect process, NIC, network connection, and routing information by executing the following 4 commands

0x02: Information processing

Xdr33 combines different device information through the update_msg function

In order to distinguish different device information, Hive designed ADD_HDR, which is defined as follows, and "3, 4, 5, 6" in the above figure represents different Header Type.

typedef struct __attribute__ ((packed)) add_header {
	unsigned short type;
	unsigned short length;
} ADD_HDR;

What does "3, 4, 5, 6" represent exactly? This depends on the definition of Header Types in the source code below. xdr33 is extended on this basis, with two new values 0 and 9, representing Sha1[:32] of MAC, and PID of xdr33 respectively

Some of the information collected by xdr32 in the virtual machine is shown below, and it can be seen that it contains the device information with head type 0,1,2,7,9,3.

It is worth mentioning that type=0, Sha1[:32] of MAC, which means that it takes the first 32 bytes of MAC SHA1. Take the mac in the above figure as an example, its calculation process is as follows.

mac:00-0c-29-94-d9-43,remove "-"
result:00 0c 29 94 d9 43

sha1 of mac:
result:c55c77695b6fd5c24b0cf7ccce3e464034b20805

sha1[:32] of mac:
result:c55c77695b6fd5c24b0cf7ccce3e4640

When all the device information is combined, use bzip to compress it and add 2 bytes of beacon_header_version and 2 bytes of OS information in the header.

0x03: Network Communication

The communication process between xdr33 and Beacon C2 contains the following 4 steps, and the details of each step will be analyzed in detail below.

• Two-way SSL authentication
• Obtain XTEA key
• Report XTEA encrypted device information to C2
• Execute the commands sent by C2

Step1: Two-way SSL Authentication

Two-way SSL authentication requires Bot and C2 to confirm each other's identity, from the network traffic level, it is obvious that Bot and C2 request each other's certificate and verify the process.

The author of xdr33 uses the kaspersky.conf and thawte.conf templates in the source repository to generate the required Bot certificate, C2 certificate and CA certificate.

The CA certificate, Bot certificate and PrivKey are hardcoded in xdr32 in DER format.

The Bot certificate can be viewed using openssl x509 -in Cert -inform DER -noout -text, where CN=xdr33, which is where the family name comes from.

You can use openssl s_client -connect 45.9.150.144:443 to see the C2 certificate. bot, C2 certificates are disguised as being related to kaspersky, reducing the suspiciousness of network traffic in this way.

The CA certificates are shown below. From the validity of the 3 certificates, we presume that the start of this activity is after 2022.10.7.

Step2: Obtain XTEA key

After establishing SSL communication between Bot and C2, Bot requests XTEA key from C2 via the following code snippet.

The processing logic is.

1. Bot sends 64 bytes of data to C2 in the format of "length of device information length string (xor 5) + device information length string (xor 5) + random data".
2. Bot receives 32 bytes of data from C2 and gets 16 bytes of XTEA KEY from it, the equivalent python code to get the KEY is as follows.
Copy

XOR_KEY=5
def get_key(rand_bytes):
	offset = (ord(rand_bytes[0]) ^ XOR_KEY) % 15
	return  rand_bytes[(offset+1):(offset+17)]

Step3: Report XTEA encrypted device information to C2

Bot uses the XTEA KEY obtained from Step2 to encrypt the device information and report it to C2. since the device information is large, it usually needs to be sent in chunks, Bot sends up to 4052 bytes at a time, and C2 replies with the number of bytes it has accepted.

It is also worth mentioning that XTEA encryption is only used in Step3, and the subsequent Step4 only uses the SSL-negotiated encryption suite for network traffic, and no longer uses XTEA.

Step4: Waiting for execution command (new function added by xdr33)

After the device information is reported, C2 sends 8 bytes of task number N of this cycle to Bot, if N is equal to 0, it will sleep for a certain time and enter the next cycle of Beacon Task; if not, it will send 264 bytes of task. bot receives the task, parses it, and executes the corresponding instruction.

The supported instructions are shown in the following table.

Network Traffic Example

The actual step2 traffic generated by xdr33

The interaction in step3, and the traffic from step4

What information can we get from this?？

1. The length of the device information length string, 0x1 ^ 0x5 = 0x4
2. The length of the device information, 0x31,0x32,0x37,0x35 respectively xor 5 gives 4720
3. tea key 2E 09 9B 08 CF 53 BE E7 A0 BE 11 42 31 F4 45 3A
4. C2 will confirm the length of the device information reported by the BOT, 4052+668 = 4720, which corresponds to the second point
5. The number of tasks in this cycle is 00 00 00 00 00 00 00, i.e. there is no task, so no specific task of 264 bytes will be issued.

The encrypted device information can be decrypted by the following code, and the decrypted data is 00 22 00 14 42 5A 68 39, which contains the beacon_header_version + os + bzip magic, and the previous analysis can correspond to one by one.

Trigger Task

The main function of the Trigger is to listen to all traffic and wait for the Triggger IP message in a specific format. Once the message and the Trigger Payload hidden in the message pass the layers of verification, the Bot establishes communication with the C2 in the Trigger Payload and waits for the execution of the instructions sent.

0x1: Listening for traffic

Use the function call socket( PF_PACKET, SOCK_RAW, htons( ETH_P_IP ) ) to set RAW SOCKET to capture IP messages, and then the following code snippet to process IP messages, you can see that Tirgger supports TCP,UDP and the maximum length of message Payload is 472 bytes. This kind of traffic sniffing implementation will increase the CPU load, in fact using BPF-Filter on sockets will work better.

0x2: Checksum Trigger packets

TCP and UDP messages that meet the length requirement are further verified using the same check_payload function.

check_payload的代码如下所示:

The processing logic can be seen as follows.

• Use CRC16/CCITT-FALSE algorithm to calculate the CRC16 value of offset 8 to 92 in the message to get crcValue
• The offset value of crcValue in the message is obtained by crcValue % 200+ 92, crcOffset
• Verify whether the data at crcOffset in the message is equal to crcValue, if it is equal, go to the next step
• Check if the data at crcOffset+2 in the message is an integer multiple of 127, if yes, go to the next step
• Trigger_Payload is encrypted, the starting position is crcOffset+12, the length is 29 bytes. the starting position of Xor_Key is crcValue%55+8, XOR the two byte by byte, we get Trigger_Paylaod

So far it can be determined that the Trigger message format is as follows

0x3: Checksum Trigger Payload

If the Trigger message passes the checksum, the check_trigger function continues to check the Trigger Payload

The processing logic can be seen as follows

• Take the last 2 bytes of the Trigger Payload and write it as crcRaw
• Set the last 2 bytes of the Trigger Payload to 0 and calculate its CRC16, which is called crcCalc
• Compare crcRaw and crcCalc, if they are equal, it means that the Trigger Payload is structurally valid.

Next, the SHA1 of the key in the Trigger Payload is calculated and compared with the hard-coded SHA1 46a3c308401e03d3195c753caa14ef34a3806593 in the Bot. If it is equal, it means that the Trigger Payload is also valid in content, so we can go to the last step, establish communication with C2 in the Trigger Payload, and wait for the execution of its issued command.

The format of the Trigger Payload can be determined as follows.

0x4: Execution of Trigger C2's command

After a Trigger message passes the checksum, the Bot actively communicates with the C2 specified in the Trigger Payload and waits for the execution of the instructions issued by the C2.

The supported instructions are shown in the following table.

It is worth noting that Trigger C2 differs from Beacon C2 in the details of communication; after establishing an SSL tunnel, Bot and Trigger C2 use a Diffie-Helllman key exchange to establish a shared key, which is used in the AES algorithm to create a second layer of encryption.

Experiment

To verify the correctness of the reverse analysis of the Trigger part, we Patch the SHA1 value of xdr33, fill in the SHA1 of NetlabPatched,Enjoy! and implement the GenTrigger code in the appendix to generate UDP type Trigger messages.

We run the Patch in the virtual machine 192.168.159.133 after the xdr33 sample, the construction of C2 for 192.168.159.128:6666 Trigger Payload, and sent to 192.168.159.133 in the form of UDP. the final result is as follows, you can see the xdr33 in the implanted host after receiving the UDP Trigger message, and we expected the same, launched a communication request to the preset Trigger C2, Cool!

Contact us

Readers are always welcomed to reach us on twitter or email us to netlab[at]360.cn.

IOC

sample

ee07a74d12c0bb3594965b51d0e45b6f

patched sample

af5d2dfcafbb23666129600f982ecb87

C2

45.9.150.144:443

BOT Private Key

BOT Certificate

CA Certificate

附录

0x1 Decode_RES

0x02 GenTrigger