From c2dc559402748bb72d962e3e2e48b36ca23b9d77 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 6 Aug 2025 01:42:20 +0000 Subject: [PATCH] Add content from: Project AK47: Uncovering a Link to the SharePoint Vulnerabil... --- .../pentesting-web/microsoft-sharepoint.md | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md b/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md index 435e2e251..7d8fddfac 100644 --- a/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md +++ b/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md @@ -99,6 +99,57 @@ Same shell but: * variable names reduced to single letters * `Thread.Sleep()` added for sandbox-evasion & timing-based AV bypass. +### 3.4 AK47C2 multi-protocol backdoor & X2ANYLOCK ransomware (observed 2025-2026) + +Recent incident-response investigations (Unit42 “Project AK47”) show how attackers leverage the ToolShell chain **after initial RCE** to deploy a dual-channel C2 implant and ransomware in SharePoint environments: + +#### AK47C2 – `dnsclient` variant + +* Hard-coded DNS server: `10.7.66.10` communicating with authoritative domain `update.updatemicfosoft.com`. +* Messages are JSON objects XOR-encrypted with the static key `VHBD@H`, hex-encoded and embedded as **sub-domain labels**. + + ```json + {"cmd":"","cmd_id":""} + ``` + +* Long queries are chunked and prefixed with `s`, then re-assembled server-side. +* Server replies in TXT records carrying the same XOR/hex scheme: + + ```json + {"cmd":"","cmd_id":"","type":"result","fqdn":"","result":""} + ``` +* Version 202504 introduced a simplified format `::` and chunk markers `1`, `2`, `a`. + +#### AK47C2 – `httpclient` variant + +* Re-uses the exact JSON & XOR routine but sends the hex blob in the **HTTP POST body** via `libcurl` (`CURLOPT_POSTFIELDS`, etc.). +* Same task/result workflow allowing: + * Arbitrary shell command execution. + * Dynamic sleep interval and kill-switch instructions. + +#### X2ANYLOCK ransomware + +* 64-bit C++ payload loaded through DLL side-loading (see below). +* Employs AES-CBC for file data + RSA-2048 to wrap the AES key, then appends the extension `.x2anylock`. +* Recursively encrypts local drives and discovered SMB shares; skips system paths. +* Drops clear-text note `How to decrypt my data.txt` embedding a static **Tox ID** for negotiations. +* Contains an internal **kill-switch**: + + ```c + if (file_mod_time >= "2026-06-06") exit(0); + ``` + +#### DLL side-loading chain + +1. Attacker writes `dllhijacked.dll`/`My7zdllhijacked.dll` next to a legitimate `7z.exe`. +2. SharePoint-spawned `w3wp.exe` launches `7z.exe`, which loads the malicious DLL because of Windows search order, invoking the ransomware entrypoint in memory. +3. A separate LockBit loader observed (`bbb.msi` ➜ `clink_x86.exe` ➜ `clink_dll_x86.dll`) decrypts shell-code and performs **DLL hollowing** into `d3dl1.dll` to run LockBit 3.0. + +> [!INFO] +> The same static Tox ID found in X2ANYLOCK appears in leaked LockBit databases, suggesting affiliate overlap. + +--- + ## 4. Detection ideas | Telemetry | Why it is suspicious | @@ -134,6 +185,7 @@ proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powers - [Unit42 – Active Exploitation of Microsoft SharePoint Vulnerabilities](https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/) - [GitHub PoC – ToolShell exploit chain](https://github.com/real-or-not/ToolShell) - [Microsoft Security Advisory – CVE-2025-49704 / 49706](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-49704) +- [Unit42 – Project AK47 / SharePoint Exploitation & Ransomware Activity](https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/) - [Microsoft Security Advisory – CVE-2025-53770 / 53771](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-53770) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file