HP Threat Research Blog Decrypting L0rdix RAT’s C2

August 1, 2019 Category: Threat Research By: Alex Holland Comments: 0

Decrypting L0rdix RAT’s C2

In my previous blog post on L0rdix RAT, I took a look at its panel and builder components that have been circulating through underground forums recently. As part of that analysis, I identified a key (“3sc3RLrpd17”) which was embedded in one of the PHP pages in L0rdix’s panel. A SHA-256 hash is calculated of this key, which is used as the AES key to encrypt and decrypt L0rdix’s command and control (C2) communications. When a sample is generated using L0rdix’s builder, the operator is able to decide this key.

In this post, I examine L0rdix’s C2 encryption and decryption functions in more detail and discuss how to automate the task of identifying, decrypting and extracting L0rdix C2 traffic from a PCAP using Python.

L0rdix’s configuration structure

L0rdix’s configuration contains 10 fields, which are encrypted and sent as URL query strings in a HTTP POST request to the connect.php page of the panel. The configuration settings of deployed bots are updated by sending similar POST requests to the bots from the panel.

Query String Configuration Field
h= Hardware ID
o= Operating system
c= CPU
g= GPU
w= Installed antivirus
p= Privileges of current user
r= Hash rate
f= L0rdix profile in use
rm= RAM
d= Drives

 

L0rdix C2 encryption and decryption steps

L0rdix encrypts its C2 communications using the following steps:

  1. Encrypts the plaintext using AES in Cipher Block Chaining (CBC) mode with a 256-bit key and 16-byte initialisation vector (IV).
  2. Base64 encodes the ciphertext.
  3. Replaces plus (+) characters with tildes (~).
  4. URL encodes the ciphertext.