So I was looking through the CISA’s recent publications regarding three tools named PebbleDash, Copperhedge and Taintedscribe which are believed to be used by the state-sponsored North Korean hacking group HiddenCobra/APT 38/Lazarus Group.
I started off with PebbleDash, because there was a functionality mentioned in the report that caught my eye:https://www.us-cert.gov/ncas/analysis-reports/ar20-133c
I wanted to know how such FakeTLS mechanism works and how it is implemented. I also want to mention beforehand, I did not check wether the code used by PebbleDash is reused from any Github Repository or any other various tools. This blog post focuses mainly on the mentioned functionality.
PebbleDash is a RemoteAccessTool and is in my opinion, built rather simple but effective. For obfuscation, it implements routines to load libraries during execution and encrypts parts of its content with a custom algorithm. As always with RAT tools, it offers its controllers a variety of options to cause mayhem on a victim’s system:
I will not go deeper into the functionalities of this tool this time. If you are interested in reading more, I recommend you to take a look at the CISA report I’ve linked above… or reverse it by yourself :-).
Faking the TLS Handshake
Transport Layer Security is an encryption protocol used for securing data transfer via the internet and in order to establish a valid
TLS communication, a
TLS handshake must be processed. PebbleDash uses this protocol scheme to stay under the radar and hide the C2 communication.
The following graphic is a small reminder of how the
TLS handshake is done and explains how this is accomplished:
In the first step, a simple
connect is executed which sets up a
TCP connection to the C2 server.
Instead of sending the the real server’s domain, the server name field in the
TLS packet is adjusted to a popular domain you encounter pretty often in a company’s network.
The list of domains it can enter into this field is hardcoded into the binary and is selected randomly:
The server certificate, as well as the other packets which are sent back to are not relevant for the sample.
Reversing the implementation
PebbleDash implements various checks wether it received valid
TLS packet from the C2 server. I’ve identified at least the following:
TLSRecord Content Type has to be valid for each step of the
TLSversion has to be 1.0 (
TLS handshake is done, the communication continues in the
TLS format. Instead of using
AES the malware uses the
RC4 protocol for encrypting its messages. The
RC4 is hardcoded into the binary and easily extractable.
Hardcoded RC4 found in binary
With all these information available, I was able to implement a python server which can fake the
TLS handshake and decrypt received messages in my internal network. If anybody is interested in the source code, I am willing to share it. Just message me on Twitter.
It was pretty interesting to see how this
FakeTLS mechanism is implemented and it really sharpened my skills regarding network protocols. I think I’ve never went so deep into the single headers and features of the
TLS protocol. Next time I might look into the other two families which were mentioned in the CISA report.