#
EPIC Payload
#
C2 Communications
The EPIC payload communicates with a hardcoded C2 server and port value via HTTP POST requests.1
#
C2 Registration
The module will automatically perform initial discovery commands and output the results to a tmp
file in %TEMP% with a random string in its filename: %TEMP%\~D<random>.tmp
.1
For scenario purposes, this file name has been hardcoded to %TEMP%\~D723574.tmp
. The discovery
output is returned in the POST request body.
The POST request body is bzip2 compressed and then formatted in a Base64 encoded JSON string with
fields UUID
, type
, and data
and are not made to any particular subfolder and are sent to the
URL path /
of the C2 server site. The initial heartbeat is structured as follows:
{"UUID":"", "type":"command", "data":"<system discovery information>"}
EPIC will use the type
field to indicate to the C2 server what type of data to receive based on
the task.
Upon registration with the C2 server, the module will receive a UUID to use in future communications. The module will then continue to perform POST requests to the domain name of the C2 server site to receive instructions and return result output.
#
Execute Commands
Upon receiving instructions to execute commands, the module will execute the command, append
command output to %TEMP%\~D723574.tmp
, and return the command output in the next C2 communication
cycle.1
#
Execution
The Payload is intended to execute in the scenario as an embedded resource inside of EPIC's Reflective Guard, which is subsequently embedded in the Reflective Injector. Executing either the Guard DLL or Injector executable will result in the execution of the Payload DLL. To execute just the Payload, you can run it via rundll32.exe
with the exported function PayLoop
. See here if you encounter any issues.
#
Tasks
The EPIC payload receives tasking from the C2 server as part of a successful beacon response.
To retrieve an instruction, the response should be base64 decoded and then bzip2 decompressed.
EPIC instructions are structured as followed:
Instructions with no payloads (EXE binaries) to download to the module will have a Payload size
of 0.
Configurations are INI structured files which contain some of the following fields:
Example execute command configuration:
exe = whoami
Example upload file configuration:
result = C:\users\bob\passwords.txt
Example download file configuration (instruction should have associating payload data):
name = C:\System32\malicious.exe
Example delete file configuration:
del_task = \nname = C:\Windows\System32\malicious.exe
#
Encryption
#
RSA encryption
- sha1 hash function
- OAEP padding
- 2048 bit key
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
openssl rsa -pubin -in public.pem -RSAPublicKey_out -out public_pkcs1.key -outform der
openssl rsa -in private.pem -traditional -out private_pkcs1.key -outform der
#
AES encryption
- 256 bit key
- CBC mode of operation
#
Build Instructions
Notes about Bzip2 The EPIC payload used a modified version of BZip2 compiled as a static library. Modifications to BZip2 primarily consisted of stripping debug statements throughout the source files. The modifed BZip2 static library has been removed from this repository, however vcpkg will install an unmodified BZip2 library upon building the payload that will function as needed.
If you are interested in downloading and modifying BZip2, you can find it here. CMake build instructions can be found here. Once compiled, bz2_static.lib
should be copied to payload\libs\lib\bzlib.lib
and the bzlib.h
should be copied to payload\libs\include\bzlib.h
. Create the relevant directories if they do not already exist. Please also make the necessary adjustments to the CMakeLists.txt
and vcpkg.json
files. 1 2 3 4 5
From Visual Studio Developer PowerShell:
cd Resources\EPIC\payload
cmake -S . -B build -DUSE_HTTPS="<true/false>" -DC2_PORT="<port #>" -DC2_ADDRESS:STRING="<c2Address>" -DBINARY_NAME:STRING="<res/res2>"
cmake --build build --config Release --target ALL_BUILD -j 4 --
The compiled DLL and executable will be located in: EPIC\payload\bin
When built with the build script, EPIC will use a default C2 server (address and port) and HTTP for communications. To compile with a different C2 server address and port or to use HTTPS communications, change the corresponding values in the line from above (cmake -S . -B build -DUSE_HTTPS="<true/false>"...
). For example, to build the payload with C2 server example.com
, port 1234
, and HTTPS
selected, run:
cmake -S . -B build -DUSE_HTTPS="true" -DC2_PORT="1234" -DC2_ADDRESS:STRING="example.com" -DBINARY_NAME:STRING="res2"
Run the remaining command as written above. To note: the payload binary name res
corresponds to HTTP and res2
to HTTPS.
To remove symbols, you can use the strip
command:
strip -s bin\test_res.exe
To verify, you can run strings
or objdump --syms bin\test_res.exe
- you should see an empty symbols table.
To run unit tests:
ctest --test-dir bin
#
Cleanup Instructions
Remove the log file:
Remove-Item -Path "%TEMP%\~D723574.tmp";
Kill all Edge browsers potentially containing payload injected into it:
Get-Process msedge -ErrorAction SilentlyContinue | Stop-Process -Force;
#
CTI References
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080105/KL_Epic_Turla_Technical_Appendix_20140806.pdf
- https://securelist.com/the-epic-turla-operation/65545/