Overview

Koadic is an open source post-exploitation tool for red teamers, written in VBScript/JScript with a Python3 HTTPS-based C2 backend.

The implant side is fairly straightforward - Its persitance and elevation functionality uses hardcoded well-known and signatured methods, and almost all of its stagers get blocked by Windows Defender on Win 10. Nonetheless it has a decent following on Github, and has even been used by an APT crew in the past.

I was interested in doing a review of it, and noticed when hitting scanning a running C2 server, it would always return the following empty HTTP response:

HTTP/1.0 404 Not Found
Server: Apache
Date: Fri, 02 Aug 2019 03:43:28 GMT

The Date header would change be the correct time, but besides that, a few things stand out when comparing this response to one from a Typical real-world Apache Webserver:

  • Apache servers typically return version information in the Server header (although this can be configured)
  • Apache servers return the Date header above the Server header.
  • Apache servers typically will also send more headers, such as Connection, Keep-Alive, or Content-Type

Searching Shodan for Koadic

Unfortunetly the Shodan API doesn’t allow us to specify header ordering, however we can still search for responses that contain:

  • HTTP/1.0 404 Not Found
  • Server: Apache
  • Date (As that actual date will change, but this will cover the presence of the header)
  • not any other header

The Final Shodan query looks like this:

"HTTP/1.0 404 Not Found" "Server: Apache"   -"Content-Type" -"Content-Length" -"Connection" -"Expires" -"Access-Control" -"Set-Cookie" -"Content-Encoding" -"Charset" -"Transfer-Encoding"

Searching Shodan (as of January 2020) has surprising results: ShodanResults

Out of all of Shodan, only 28 results! And looking at a sampling of the results, a lot certainly look suspicious enough to be possible C2 servers:

  • One had a sibling subdomain that was previouslly hostinng a a malicious hta document
    • Investigating, I found out this was a koaded 1st stage
  • One had mutliple ports open, pretending to be both Apache/2.4.29 (Ubuntu) and Microsoft-IIS/7.5
  • One literally had koadic.fr in its TLS cert name

These results, combined with the low number of hits, gives me confidence this signature is correct.

Conclusion

As Koadic was created for legitimate red-teamers, it is unlikely any of these are actualy “the bad guys”.

But understanding what fingerprint a tool creates is usefull to help the blue team detect actualy bad uses of Koadic, as well as help the red teamers understand what footprint they may create.