SNOWLIGHT is a lightweight ELF downloader that retrieves an XOR-encoded payload (hardcoded key 0x99) from a remote C2 over a raw TCP socket and executes it in memory using memfd_create and fexecve to avoid disk artifacts. The article describes an automated extractor built with LIEF and Capstone that parses .rodata to find the C2 (always following the “[kworker/0:2]” marker), reconstructs GOT/PLT mappings to locate the gethostbyname call, and recovers the hardcoded port (e.g. 8065). #SNOWLIGHT #UNC5174
Keypoints
- SNOWLIGHT is a <10KB C-written ELF downloader that communicates with its C2 over a raw TCP socket, sends an architecture identifier (l32/l64/a32/a64), receives an XOR-encoded payload (key 0x99), and executes it entirely in memory via memfd_create and fexecve.
- Samples contain a consistent .rodata layout where the C2 value appears directly after the marker string “[kworker/0:2]” and include an architecture magic string (e.g., “l64” for x86_64).
- The C2 TCP port is hardcoded in the instruction immediately preceding a dynamic call to gethostbyname (example: mov word ptr [addr.sa_data], 811Fh → port 8065 little-endian).
- The extractor automates parsing .rodata, resolving GOT→PLT mappings (using LIEF) and disassembling main (using Capstone) to reliably identify the PLT call to gethostbyname and recover the port.
- LIEF is used to enumerate sections, rebuild GOT and PLT maps (via pltgot_relocations and .plt section analysis) while Capstone disassembles the main function and inspects CALL instructions and preceding immediates.
- The methodology is modular and generalizes to other ELF-based downloaders/loaders, though heavily obfuscated or packed samples may require additional techniques.
MITRE Techniques
- [None ] No specific MITRE ATT&CK technique IDs are explicitly mentioned in the article – the article describes behaviors and includes quotes such as ‘executes it entirely in memory through the memfd_create and fexecve system calls’, ‘communicates with its Command and Control server over a raw TCP socket’, and ‘the server responds with a XOR-encoded payload, currently using the hardcoded key 0x99’.
Indicators of Compromise
- [File Hash ] Sample analyzed – SHA-256: 344c391cfd4fd30407bf55872d05d44b679a117e407114c0e113b3c6c4cbbb29
- [File Path ] Local access check observed in early variants – /tmp/log_de.log
- [Network Port ] Hardcoded C2 TCP port found in instruction immediate – 8065 (value shown as 0x811F little-endian in assembly)
- [Strings / Markers ] .rodata markers and magic values used to locate config – “[kworker/0:2]” and “l64” (architecture identifier)
- [Encoding Key ] Payload encoding key used by SNOWLIGHT – 0x99 (XOR key)