Using Python to Decrypt Dispind.A and Helminth HTTP Beacons

Posted on May 30th, 2016

Microsoft’s Windows Defender Advanced Threat Hunting Team and Palo Alto’s Unit 42 recently published some great technical writes up that detail targeted attacks, PLATINUM and OilRig, respectively. The reports are great because they provide some actionable intelligence for network defenders to detect malicious activity. The reports also go into great detail about how the attackers encrypt/encode data in their command and control information. In this post we will use a few lines of Python code to decrypt the beacons associated with PLATINUM and OilRig implants.

PLATINUM – Dispind.A

Dispind is a lightweight implant that provides backdoor access to attackers to control a victim machine. Dispind uses to communicate with it’s command and control servers. The initial HTTP beacon will POST the string “ud7LDjtsTHe2tWeC8DYo8A**”, which is an AES256 encrypted and base64 encoded string. Microsoft was kind enough to put the key (“AOPSH03SK09POKSID7FF674PSLI91965”) in their PLATINUM write up. According to Microsoft, the encrypted string is effectively a bunch of whitespace. With this information, let’s write some quick Python code to see if we get the same result:

The plaintext output contains “1” followed by a bunch of white space characters. It looks like we got the expected result!

OilRig – Helminth

The Helminth implant uses HTTP and DNS to communicate with it’s command and control infrastructure. Unlike the Dispind.A implant, the Helminth implant utilizes the “Cookie” header field to send encrypted information. The folks over at Unit 42 discovered that this field contains information about the system and malware, which is encrypted with RC4 using a static key. Let’s see what we can do with some Python:

It worked! The OilRig technical report also goes into great detail about Helminth’s DNS C2 capability. If you’re interested in sharping your Python skills, give the DNS C2 decoding a shot.

Thanks to Microsoft and Palo Alto for sharing the in-depth technical details to make this post possible.

[0] –

[1] – Helminth HTTP beacon: