It’s elegance caught me by surprise
I was rightly impressed when I first started it. Running it was as easy as installing a up-to-date version of Java and running a script.
But what surprised me the most was how many features it had for FREE and open-source software.
Reexploring Meterpreter as the test subject
In a previous article, I created a simple Meterpreter RAT and compiled it as a ELF binary, while explaining how to perform the initial stages of Static Binary Analysis with objdump and how to manually generate shellcode.
And today, we are going to delve deep into the workings of Rapid7’s proprietary Remote Access Trojan, Meterpreter, as well as it’s beating heart, Mettle.
When the shell “lands”, a reverse connection is formed back to the attacker
Ghidra’s decompilation features work exactly the same way as RETDEC, or Retargetable Decompiler, another free alternative to IDA Pro.
In this section of code, the Meterpreter RAT opens a TCP client socket to call back to the listener C2 (Command and Control) server.
Binary encryption and “packing” to evade detection of it’s payload
Meterpreter also uses encoding and encryption apparently. The green text is the decryption key to decode additional malware instructions that it is hiding in a array somewhere.
The beating heart of Meterpreter
In Mettle’s main function, notice that Meterpreter has…
1. A process monitor to check on the shell’s status (is it still alive?)
2. A job monitor, to ensure that the RAT is always kept busy performing a process asynchronously until it gets more orders from C2
3. A channel manager to help coordinate sessions and connections/transports with the attacker’s server
4. And a module manager that controls all of Meterpreter’s features such as dumping the Windows NT Hive of credentials and opening a local port-forwarding tunnel to pivot by attacking neighboring hosts
One of the first things it does upon execution of the payload, is to immediately enumerate the victim’s operating system. It returns a variable and reports it eventually to the attacker.
Still not immune to memory forensics!
If you are using Volatility, this section here is gold. Using the malware-finder module, you can easily locate these mutexes in a memory dump, which are usually generated as the malware migrates, injects, or spawns new processes.
How Metasploit moves from one process to another to gain privileges and avoid detection and destruction by antivirus and anti-malware solutions
In this section, Meterpreter is about to perform a process migration. If it sees a suitable process to migrate to, such as svchost.exe with SYSTEM level privileges, then the original RAT generates a new process thread by injecting into that running process using a multitude of techniques like “process-hollowing”, then detaches/forks from it, and the parent process self-destructs to clean after itself.
Once the injected process runs the new code, a new connection is then connected back to the attacker, and they can continue to rampage unhindered.
For some strange reason, the Linux version of Meterpreter relies heavily on the curl command to make web requests.
Ghidra can identify logical decision-trees very well from just Assembly compare-and-jump-to instructions
Just as I suspected yesterday, the frequent CMP and JMP instructions in Assembly Operation codes imply that there is a decision-making tree here. In other words, if-and-then statements covering this entire function.
Rapid7 REALLY loves the curl command
Moving right along, notice Meterpreter’s reliance on the curl command. Once Meterpreter determines that curl pipelining is supported, it constructs a HTTP request in version HTTP/1.1, and then returns the value to the pointer.
When I was scanning test.ELF on hybrid-analysis.com, the process of “thunking” set off a red flag in their criteria, alleging that it was a attack technique or something. As it turns out, it’s meant for backwards-compatibility of the malware instructions back to x86, or 32-bit instruction sets and data structures apparently.
You can even see the commands that Meterpreter accepts!
And oooh man, bad call! The Remote Access Trojan’s commands are in plaintext strings that are easily detectable using the strings command, or with basic binary analysis tools like objdump.
What I highlighted there is a command that the attacker can send to Meterpreter to secretly start or stop their webcam from recording the victims.
Anti-malware vendors should take note of this fact for immediate profiling of it’s signature.