Cobalt strike beacon desktop vnc
An IDAPython script that automates the decryption process is available on GitHub. Strings/Configuration EncryptionīokBot keeps its binary strings in an encrypted format with each string being decrypted only when it is about to be used. Otherwise it executes the ‘BackConnect’ functionality as normal in a new thread. Regarding BokBot’s behavior in case of anti-analysis identification, the only difference, at least from a binary perspective, appears to be in the execution of ‘BackConnect’ functionality (described in the Network Communication section) specifically in this case the operator(s) should issue the feature. If any of the above techniques are triggered, Bokbot will continue anyway but inform the command-and-control server. Then BokBot checks if it matches any of the following patterns: By passing the parameter 0x40000000, stored in EAX, to the CPUID instruction, the vendor ID is returned. Execution of CPUID instruction to get information about the host’s processor.
#COBALT STRIKE BEACON DESKTOP VNC CODE#
Fortunately, even though this mechanism can be easily defeated, this code is present only in one function.
This is repeated 15 times and aims to detect emulation or debugging presence (step over). Calculation of execution time between two addresses.Anti-AnalysisĪs with many other malicious binaries, anti-analysis techniques are employed to make the analysis harder. Lastly, the strings were decrypted by converting the decryption routine to an IDAPython script (see ‘Strings/Configuration Encryption’ section).
#COBALT STRIKE BEACON DESKTOP VNC WINDOWS#
Upon breaking at the entry point of the main module, the resolved Windows API addresses and their associated (BokBot) addresses were collected and then mapped to IDA. The static analysis issues were easier to solve. In cases where this was not possible, a debug session was started by breaking at the entry point of the main module and moving on from there to selected addresses. Initially, the Unicorn engine was used to execute and debug certain functions this was useful to confirm that the strings decryption algorithm has been correctly converted to Python for example. To workaround the above issues, different methods were used. Furthermore, if we consider that binary strings and Windows API functions are loaded at runtime, similar obstacles are met during static analysis too. As a result, dumping the decrypted component and running it directly in a debugger was not an option. BokBot’s main module runs, in memory, as pure shellcode. The biggest obstacle in analysing BokBot was the way in which the loader loads and executes the main module.
The following sub-sections present the findings of the analysis of the main module of BokBot. Unlike previous versions, debug messages have been removed.Network support for both HTTP(S) and network sockets.Offers the operator(s) various commands to control the compromised host.Functionality to intercept local credentials and web-form data stored in the browser along with inserting Web-Injects to specific pages in order to capture login credentials as they are entered.Specifically, BokBot presents the following features that are notable: Overall, BokBot has the typical features that you would expect from a banking trojan. Furthermore, the analysis focuses on the main module and its network communication features and functionality. The following article presents the findings of analysis conducted on samples which appeared in December 2021. BokBot has previously been linked to ‘NeverQuest’ and over the years it has gone through various code changes. BokBot, also known as IcedID, was among one of the most active malware families in 2021 and has been known for loading different types of payloads such as Cobalt Strike for example.