APT40 Find and Exfiltrate

Find files which have names that contain "user" or "pass", check the files to ensure they are not in binary format and contain atleast 1 special character. Compress the files and serve them on a website that will only host two requests before shutting down, then delete artifacts created by the previous TTPs.

TTP Tuesday: APT40 - Find and Exfiltrate

A look at APT40 defence evasion techniques

Theme Overview

Our last release looked at APT40 targeting the government organizations with watering-hole and password reuse attacks.

For this week’s TTP Tuesday we are releasing a new APT40 themed chain based on defense evasion techniques. We’ll be looking at a process injection technique and the user of native API calls to perform several defense evasion and discovery techniques.

Shellcode Injection

Process injection is method of code execution that typically abuses legitimate OS functionality, such as the loading of a shared library. On a Windows system, these shared libraries are called DLLs and they contain, in addition to useful exported functions, some boilerplate structure that helps Windows load and use the DLL.

Shellcode is typically a small piece of position independent assembly code. Since it doesn’t contain all the boilerplate found in a shared library, it’s an overall much smaller payload. Shellcode injection, itself a process injection technique, simply loads shellcode into a target process’s memory and executes it.

With APT40, some of their malware has been observed using process injection and shellcode injection to load malware into a target process. For this week’s release we’re using Sliver to demonstrate shellcode injection on a Windows host. The included shellcode launches calc.exe on any x64 Windows machine. To run your own shellcode, just replace the shellcode payload in the TTP and you’re all set!

Native API

Shell bad.

Commands executed through a shell, like PowerShell and Bash, are easy to detect. In addition to logging, defenders often have detection capabilities to alert on or block shell commands. The alternative to shell execution, which most modern C2 frameworks use in their agents, is the use of native operating system API calls or shared libraries (such as the C library) to perform various actions.

Sliver agents, available through Operator’s Sliver plugin, contain several native API capabilities. For this release, we’ve implemented a dozen or so for use in Operator that you can modify and mix into your own chains.

To date, we now support the following Sliver commands through the use of executors:

  • registrycreatekey
  • registryread
  • registrydeletekey
  • execute-shellcode
  • execute-assembly
  • registerextension (register a COFF loader)
  • bof (load a Beacon Object File)
  • ifconfig
  • netstat
  • pwd
  • ls
  • mkdir
  • rm
  • ps
  • terminate
  • getprivs

Back in the workshop, we’re building new agents that include these executors (and more!) to replace our current flagship agents. Expect better stealth and greater execution options in our upcoming releases.

Thanks for reading! We’ll be back next week with more examples of APT40 tradecraft!

Watch a demonstration: APT40 Educational Institutions

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Find possible password files
Ensure file is not binary
Find possible username files
Ensure file is not binary
Compress files found
Serve files for 2 requests
Clean up artifacts

User-Set Custom Variables

  • web.port: 8082