Detecting and Understanding Emdivi HTTP C2

Posted on November 20th, 2015

Detecting sophisticated cyber threats is an inherently difficult task.  Understanding what systems and information may have been compromised can be even more difficult.  Recently, Shusei Tomonaga & Yuu Nakamura from the Japan Computer Emergency Response Team/Coordination Center (JPCERT/CC) gave a presentation that discussed in technical detail two cyber operations targeting Japan.  The presentation covers the attacker’s tactics, techniques and procedures to successfully compromise 130 organizations.  Along with the presentation, JPCERT/CC released a collection of tools to detect and analyze artifacts associated with the implants mentioned during their presentation.

The attackers utilized an HTTP bot, Emdivi (t17), for initial command and control. The Emdivi implant sends data to an attacker controlled server over an HTTP connection; however, the attackers employ a custom encoding routine to obfuscate the data.  The custom encoding routine functions by first generating an XOR key based on a key value, then using the XOR key to obfuscate the payload.  The JPCERT/CC reverse engineered this custom encoding scheme and developed a Python script to decode the data.  The script requires the analyst to have already done the sometimes tedious work of extracting the encoded information from the HTTP protocol.  Unfortunately, not all cyber security operations groups have the necessary skills or resources to carve data from large volumes of network traffic, and the time from initial detection to understanding can be measured in days, weeks and/or months.

In an effort to reduce the time needed to understand an Emdivi (t17) infection, we have adapted the scripts developed by JPCERT/CC into a Dshell decoder.  Dshell is a network forensic analysis framework than does the heavy lifting of reassembling network streams and parsing common network protocols, like HTTP and DNS.  The decoder, emdivi_c2.py, inspects every HTTP request and attempts to identify elements within the HTTP request that are utilized by Emdivi for command and control and verify if it is authentic Emdivi traffic.  A successful Emdivi event will generate an alert that contains information about the campaign and victim machine:

The decoder can be invoked by using the following command line syntax:

Dshell> decode –d emdivi_c2 sample.pcap

The emdivi_c2.py decoder is expensive as it inspects every HTTP request and should use in conjunction with other detection capabilities.

BreakPoint Labs is committed to developing technology, capabilities, and most importantly, cyber workforce prepared to defend networks from sophisticated threats.