Blog Decrypting L0rdix RAT’s C2

Technical Blog

August 1, 2019 Category: Threat Research By: Alex Holland Comments: 0

Decrypting L0rdix RAT’s C2

In my previous blog post on L0rdix RAT, I took a look at its panel and builder components that have been circulating through underground forums recently. As part of that analysis, I identified a key (“3sc3RLrpd17”) which was embedded in one of the PHP pages in L0rdix’s panel. A SHA-256 hash is calculated of this key, which is used as the AES key to encrypt and decrypt L0rdix’s command and control (C2) communications. When a sample is generated using L0rdix’s builder, the operator is able to decide this key.

In this post, I examine L0rdix’s C2 encryption and decryption functions in more detail and discuss how to automate the task of identifying, decrypting and extracting L0rdix C2 traffic from a PCAP using Python.

L0rdix’s configuration structure

L0rdix’s configuration contains 10 fields, which are encrypted and sent as URL query strings in a HTTP POST request to the connect.php page of the panel. The configuration settings of deployed bots are updated by sending similar POST requests to the bots from the panel.

Query StringConfiguration Field
h=Hardware ID
o=Operating system
c=CPU
g=GPU
w=Installed antivirus
p=Privileges of current user
r=Hash rate
f=L0rdix profile in use
rm=RAM
d=Drives

 

L0rdix C2 encryption and decryption steps

L0rdix encrypts its C2 communications using the following steps:

  1. Encrypts the plaintext using AES in Cipher Block Chaining (CBC) mode with a 256-bit key and 16-byte initialisation vector (IV).
  2. Base64 encodes the ciphertext.
  3. Replaces plus (+) characters with tildes (~).
  4. URL encodes the ciphertext.

Figure 1 – L0rdix RAT’s C# encryption function.

For example, the ciphertext of “Windows 7 Enterprise” looks like this:

  • buNpZksa9PSEshjHiM9XNI84ku2X6Zy2Syr7zdzvxMM%3d

We can decrypt the ciphertext by performing the encryption actions in reverse:

  • buNpZksa9PSEshjHiM9XNI84ku2X6Zy2Syr7zdzvxMM= (After URL decoding)
  • 6ee369664b1af4f484b218c788cf57348f3892ed97e99cb64b2afbcddcefc4c3 (Hex representation after Base64 decoding)
  • Windows 7 Enterprise (After AES decryption)

Default key or single operator

After analysing more L0rdix samples in the wild, it became clear that many of them use the key found in the leaked panel to encrypt their C2 channels. There are two realistic possibilities for the re-occurrence of this key:

  1. “3sc3RLrpd17” is the default key that the RAT panel is supplied with from its author and several buyers have not changed it.
  2. The L0rdix samples that use this key are bots controlled by a single operator. Based on the implementation of the encryption and decryption functions, each L0rdix panel operator must use the same key for every bot they control.

There is stronger evidence to indicate that the first possibility is true. For instance, the key is referenced in a coding tutorial on how to encrypt and decrypt data using AES in C# and PHP. L0rdix’s server side encryption and decryption functions closely resemble those in the tutorial, sharing the method (AES-CBC 256), IV (16 null bytes), key (“3sc3RLrpd17”) and programming languages used (C# and PHP). L0rdix’s author may have copied the tutorial’s encryption implementation and decided not to change the key.

Figure 2 – L0rdix panel’s PHP decryption function, including the suspected default operator key.