Threat Research

Cyble – Adversaries Actively Utilizing PowerShell Empire

Securonix

Cyble Research and Intelligence Labs (CRIL) detected active PowerShell Empire infrastructure being used in the wild, including multiple infections and post-exploitation activities leveraging the Empire framework. The article details Empire’s listener/stager/agent architecture, its encrypted, stealthy C2 traffic, an HTA-based PowerShell stager, and specific IOCs and defender recommendations. #PowerShellEmpire #EmpireFramework #Turla #APT19 #MuddyWare #APT41 #APT33 #FIN10

Keypoints

  • CRIL identified active PowerShell Empire command-and-control infrastructure in the wild with multiple infections.
  • Empire uses a listener (C2 server), a stager (payload), and an agent on compromised hosts for centralized management.
  • The C2 traffic is asynchronous, encrypted, and designed to blend in with normal network activity to evade detection.
  • An HTA-based stager was generated that launches a PowerShell command via wscript.exe, with Base64-encoded shellcode for a reverse connection.
  • C2 communications rely on specific endpoints: /login/process.php, /admin/get.php, and /news.php.
  • MITRE ATT&CK mapping mentioned in the article includes PowerShell (T1059.001), Process Injection (T1055), and Obfuscated/Information (T1027).
  • An IoC set is provided, including file hashes and names (e.g., 4.bat, delme.txt, jnkpl.vbs) to aid detection and hunting.

MITRE Techniques

  • [T1059.001] PowerShell – The Empire framework uses PowerShell for post-exploitation operations, evidenced by the HTA stager that launches a PowerShell command using wscript.exe. “… The .hta stager we generated launched a PowerShell command using wscript.exe. The command contained Base64 encoded shellcode required for ensuring a reverse connection.”
  • [T1055] Process Injection – Empire’s post-exploitation activities include operations such as system information collection, pivoting, and running additional reverse shell modules, indicating the use of process-level techniques. “…post-exploitation activities, such as system information collection, pivoting, running additional reverse shell modules, and searching for file systems, etc.”
  • [T1027] Obfuscated Files or Information – To avoid detection, the C&C is further obfuscated in the script. “…to avoid detection, the C&C is further obfuscated in the script.”

Indicators of Compromise

  • [MD5] 1fc72f675e034b42dfb64cdb248acfa3 – 4.bat
  • [SHA1] 3bb3d7e5c8c1512b182800eb11318a092713361a – 4.bat
  • [SHA256] 8860f5e08eb98f72f9e48bf2075b0dfef5362d3216f1b05d09fe079c20fd9445 – 4.bat
  • [MD5] d91c3f4a6dbc04e84643afc9d0c54bb9 – delme.txt
  • [SHA1] 189f56de0cf5e5defd1837cebaf0819e1381d868 – delme.txt
  • [SHA256] 48427bd9d53ca745fc82cf2264b7af8bcceecf12524dd8769f21ecd8c64038b0 – delme.txt
  • [MD5] 59ec8d082118c700a7aa8a336abcdc88 – jnkpl.vbs
  • [SHA1] 002ed091722554067367445ace0e4e7ca7837512 – jnkpl.vbs
  • [SHA256] 7e370d3d24b29f1459fab9c736e480f98bd47c47b717cdd039de7d6d748c1503 – jnkpl.vbs
  • [MD5] 1bc0994b30306078161664e5a8199918 – Netflix Checker by GM`ka.rar
  • [SHA1] 779036c4496209717bbf07a481557189858ecb76 – Netflix Checker by GM`ka.rar
  • [SHA256] cdb019c73dccc5c7a087e600c4139f6db3899d0dbbf8380f06b496b4b95f589f – Netflix Checker by GM`ka.rar
  • [MD5] 3c7fbb1615b577b04806978d5171d98d – msvchost.exe
  • [SHA1] 8d25d681f69ed3bad78cdf8a5ad65e91312e9be5 – msvchost.exe
  • [SHA256] 2ba0174e6d1b4b6f2d3a741558380c26ef0ab56999bfa8e00354622b078d77eb – msvchost.exe
  • [MD5] 6fd1fae59a7e4164aca384d98b20c0de – updater.exe
  • [SHA1] b4b1967429dc3b23afd6f732499f08f9fed7f1c7 – updater.exe
  • [SHA256] 8bb575a85a1cc82cb6990c6b2cc15af174dff0fa93a1c8728678c5c3c5c28664 – updater.exe
  • [MD5] 2e2dfb589f4363b08338a54fe10570cd – sys4.exe
  • [SHA1] 59ecca905ab7aa54e13d295bea3d6a69e2fa8d3a – sys4.exe
  • [SHA256] e8356d83f5179f1e2cec68ad9f755286da721b5c1a6691d323b759b87f800db6 – sys4.exe
  • [MD5] c0f618d88e5f065bebbfa1ee655500d5 – clickme.lnk
  • [SHA1] 16057702af44cdecd3f755488512a8503932d1a0 – clickme.lnk
  • [SHA256] b8123e9a7ab77b5814f5eb35f5d036dc2bd056282b48e90232f5e027e322ba0c – clickme.lnk
  • [MD5] 584171e0cae2e0e1d7e2aafd28004eae – winvbsJnkPlus.vbs
  • [SHA1] 54829f34b2c28e5f0f35bbc1bfc478f25f330dda – winvbsJnkPlus.vbs
  • [SHA256] c90d57feec3d22cc840ac5d9008355012bcd381dd97877ebc495e3494380238f – winvbsJnkPlus.vbs
  • [MD5] 8d665aa30c6fabebde0791e5434ebfed – launcher_protected.exe
  • [SHA1] f1a913dfac7ece7c2319221064ce330fe86a525b – launcher_protected.exe
  • [SHA256] 6862e9cdcfbded8d7f405a1437b1a036e5101f3245f392200d5fbacc96a4681c – launcher_protected.exe

Read more: https://blog.cyble.com/2022/09/06/adversaries-actively-utilizing-powershell-empire/