Cyble – Adversaries Actively Utilizing PowerShell Empire

While conducting our routine threat hunting exercises, Cyble Research and Intelligence Labs (CRIL) came across instances of the PowerShell Empire command and control (C&C) infrastructure. The PowerShell Empire is a post-exploitation red teaming tool used for creating stagers that connect to C&C servers after an initial compromise through vectors such as phishing emails, exploiting public-facing IT systems, and watering hole attacks, etc.

For additional clarity, we hunted for PowerShell Empire-related files in the wild and successfully identified multiple infections. The following figure shows the C&C infrastructure of PowerShell Empire.

Figure 1 Cyble PowerShell Empire Windows Red teaming PowerShell Empire CC Details
Figure 1 – PowerShell Empire C&C Details

Windows PowerShell is a popular tool utilized for managing the IT infrastructure in an organization. It comes pre-installed in Windows 7 and higher versions. It can utilize the .NET framework and Win32 APIs using the command line for multiple operations. Being a legitimate tool of Microsoft, PowerShell is typically whitelisted by multiple vendors.

PowerShell Empire was created by the Veris Group security practitioners Will Schroeder, Justin Warner, Matt Nelson, and others in 2015. In the past, various APT groups have used this tool, with a few of the notable groups being Turla, APT19, MuddyWare, APT41, APT33, and FIN10. According to its official GitHub repository page, the project has not been updated since 2019. Because of its capabilities, threat actors and security researchers use it for various post-exploitation activities, such as system information collection, pivoting, running additional reverse shell modules, and searching for file systems, etc.

Technical Details

The PowerShell Empire framework is similar to the tools used by nation-state actors for stealth APT operations. According to SANS Institute, Empire’s C&C traffic is asynchronous, encrypted, and designed to blend in with normal network activity. This makes it difficult for security researchers to identify the Empire’s communication inside an enterprise network.

The framework is based on a client and server architecture. To develop the payload and C&C, the PowerShell Empire server and clients should be up and running. The PowerShell Client is used to create a listener and stager for performing the attack.

In the PowerShell Empire framework, the listener is the C&C, and the stager is the payload to be executed on the compromised system. After a successful initial compromise, the victim system will communicate to the C&C and register itself as an agent. Then, using the listener, the attacker can easily manage the compromised system.

The figure below shows the client and server of the PowerShell Empire.

Figure 2 Cyble PowerShell Empire Windows Red teaming Empires Server and Client Interactive Shells
Figure 2 – Empire’s Server and Client Interactive Shells

Listener

Before attacking any system, the threat actor needs to set a C&C server. This server is called the listener. It listens to the connection from the victim machine and in return establishes the connection with the stager. The following image shows the listener module of Empire.

Figure 3 Cyble PowerShell Empire Windows Red teaming List of Listeners of Empire Framework
Figure 3 – List of Listeners of Empire Framework

Stager

Stagers are similar to the payload, and after the initial compromise, stagers are dropped and executed on the victim system.

Figure 4 Cyble PowerShell Empire Windows Red teaming List of Empire Stagers
Figure 4 – List of Empire Stagers

Agent

The agent is the compromised system. Empire provides a C&C framework to remotely manage multiple compromised systems at a single point. The image below showcases the Agent panel of the Empire PowerShell.

Figure 5 Cyble PowerShell Empire Windows Red teaming Empire Agent Panel
Figure 5 Empire Agent Panel

During our analysis, we generated the .hta stager payload and executed it in the target Windows machine. The .hta stager we generated launched a PowerShell command using wscript.exe. The command contained Base64 encoded shellcode required for ensuring a reverse connection, as shown in the below figure. 

Figure 6 Cyble PowerShell Empire Windows Red teaming Contents of Malicious .HTA File
Figure 6 – Contents of Malicious .HTA File

The figure below shows the decoded shellcode containing the browser agent and the URL for communication. To avoid detection, the C&C is further obfuscated in the script.

Figure 7 Cyble PowerShell Empire Windows Red teaming Decoded Base64 Encoded Shellcode
Figure 7 – Decoded Base64 Encoded Shellcode

After execution, the client gets the reverse connection using the listener and retrieves the compromised system details. The following figure shows the reverse shell from the victim’s system.

Figure 8 Cyble PowerShell Empire Windows Red teaming Reverse Shell of the Victim System
Figure 8 – Reverse Shell of the Victim System

The figure below shows the C&C communication. The network traffic is encrypted and designed to be mixed with the normal network activity. The agent continuously sends the GET request to receive commands from the C&C for performing other malicious activities.

Figure 9 Cyble PowerShell Empire Windows Red teaming CC Communication from victim machine
Figure 9 – C&C Communication from the victim machine

From the communication, we can see that the three requests listed below are continuously used for C&C communication.

  • /login/process.php
  • /admin/get.php
  • /news.php

Conclusion

Red teaming tools are critical for mimicking adversaries in order to garner insights for strengthening the cyber infrastructure of an organization. Contrary to intended users, threat actors also employ these tools to perform highly stealthy and dangerous attacks against their targets. This makes it imperative for security leaders and defenders to have a detailed understanding of such tools for securing their organizations. In the course of our threat research, we have observed similar trends earlier, wherein malware developers were seen providing highly sophisticated tools to cybercriminals for financial gain. CRIL will continue monitoring the latest threat actors and trends across the surface, deep, and darkweb and keep our readers informed on the latest cybersecurity challenges and updates.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly.

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name
Execution T1059.001 PowerShell
Privilege Escalation T1055 Process Injection
Defense Evasion T1027 Obfuscated Files or Information

Indicators of Compromise (IoCs) 

Indicators Indicator Type Description
1fc72f675e034b42dfb64cdb248acfa3
3bb3d7e5c8c1512b182800eb11318a092713361a 8860f5e08eb98f72f9e48bf2075b0dfef5362d3216f1b05d09fe079c20fd9445
MD5
SHA1 SHA256
4.bat
d91c3f4a6dbc04e84643afc9d0c54bb9
189f56de0cf5e5defd1837cebaf0819e1381d868 48427bd9d53ca745fc82cf2264b7af8bcceecf12524dd8769f21ecd8c64038b0
MD5
SHA1 SHA256
delme.txt
59ec8d082118c700a7aa8a336abcdc88
002ed091722554067367445ace0e4e7ca7837512 7e370d3d24b29f1459fab9c736e480f98bd47c47b717cdd039de7d6d748c1503
MD5
SHA1 SHA256
jnkpl.vbs
1bc0994b30306078161664e5a8199918
779036c4496209717bbf07a481557189858ecb76 cdb019c73dccc5c7a087e600c4139f6db3899d0dbbf8380f06b496b4b95f589f
MD5
SHA1 SHA256
Netflix Checker by GOD Cracked By GM`ka.rar
3c7fbb1615b577b04806978d5171d98d
8d25d681f69ed3bad78cdf8a5ad65e91312e9be5 2ba0174e6d1b4b6f2d3a741558380c26ef0ab56999bfa8e00354622b078d77eb
MD5
SHA1 SHA256
msvchost.exe
6fd1fae59a7e4164aca384d98b20c0de
b4b1967429dc3b23afd6f732499f08f9fed7f1c7 8bb575a85a1cc82cb6990c6b2cc15af174dff0fa93a1c8728678c5c3c5c28664
MD5
SHA1 SHA256
updater.exe
2e2dfb589f4363b08338a54fe10570cd
59ecca905ab7aa54e13d295bea3d6a69e2fa8d3a e8356d83f5179f1e2cec68ad9f755286da721b5c1a6691d323b759b87f800db6
MD5
SHA1 SHA256
sys4.exe
c0f618d88e5f065bebbfa1ee655500d5
16057702af44cdecd3f755488512a8503932d1a0 b8123e9a7ab77b5814f5eb35f5d036dc2bd056282b48e90232f5e027e322ba0c
MD5
SHA1 SHA256
clickme.lnk
584171e0cae2e0e1d7e2aafd28004eae
54829f34b2c28e5f0f35bbc1bfc478f25f330dda c90d57feec3d22cc840ac5d9008355012bcd381dd97877ebc495e3494380238f
MD5
SHA1 SHA256
winvbsJnkPlus.vbs
8d665aa30c6fabebde0791e5434ebfed
f1a913dfac7ece7c2319221064ce330fe86a525b 6862e9cdcfbded8d7f405a1437b1a036e5101f3245f392200d5fbacc96a4681c
MD5
SHA1 SHA256
launcher_protected.exe

https://github.com/EmpireProject/Empire

Source: https://blog.cyble.com/2022/09/06/adversaries-actively-utilizing-powershell-empire/