Skip to content

Kimwolf Android TV Botnet ENS-Based C2 Evasion, TLS+ECDSA C2... #1695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+53 −0
Open

Kimwolf Android TV Botnet ENS-Based C2 Evasion, TLS+ECDSA C2... #1695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,7 @@
- [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
- [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
- [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
- [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
- [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
- [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
- [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)
Expand Down
51 changes: 51 additions & 0 deletions ...eric-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,56 @@ See the dedicated page:
adaptixc2-config-extraction-and-ttps.md
{{#endref}}

## Kimwolf Android Botnet Tradecraft

### APK loader & native ELF execution on TV boxes
- Malicious APKs such as `com.n2.systemservice06*` ship a statically linked ARM ELF inside `res/raw` (e.g. `R.raw.libniggakernel`). A `BOOT_COMPLETED` receiver runs at startup, extracts the raw resource to the app sandbox (e.g. `/data/data/<pkg>/niggakernel`), makes it executable and invokes it with `su`.
- Many Android TV boxes/tablets ship pre-rooted images or world-writable `su`, so the loader reliably boots the ELF with UID 0 even without an exploit chain. Persistence comes “for free” because the receiver relaunches after every reboot or app restart.
- Reverse engineers hunting for this pattern can diff `AndroidManifest.xml` for hidden boot receivers plus code that references `Resources.openRawResource` → `FileOutputStream` → `Runtime.getRuntime().exec("su")`. Once the ELF is dropped, triage it as a Linux userland backdoor (Kimwolf is UPX-packed, stripped, statically linked, 32-bit ARM EABI5).

### Runtime mutexes & masquerading IOCs
- Upon start, Kimwolf binds an **abstract UNIX domain socket** such as `@niggaboxv4`/`@niggaboxv5`. Existing sockets force an exit, so the socket name works as both a mutex and a forensic artifact.
- The process title is overwritten with service-looking names (`netd_services`, `tv_helper`, etc.) to blend into Android process listings. Host-based detections can alert on these names combined with the mutex socket.

### Stack XOR string decoding with ARM NEON + flare_emu
- Sensitive strings (C2 domains, resolvers, DoT endpoints) are pushed onto the stack in encrypted 8-byte blocks and decoded in-place via `VEOR Qx, Qx, Qy` (`veorq_s64`). Analysts can script **flare_emu** to catch the decrypted pointer each time the decryptor hands it to the caller:
```python
import flare_emu

eh = flare_emu.EmuHelper()

def hook(eh, addr, argv, _):
if eh.isValidEmuPtr(argv[1]):
print(hex(addr), eh.getEmuString(argv[1]))

eh.iterate(0x8F00, hook) # sub_8F00 consumes the plaintext R1 argument
```
- Searching for `VEOR Q8, Q8, Q9` / `veorq_s64` sequences and emulating their ranges mass-dumps every decrypted string, bypassing the stack-only lifetime of the plaintext.

### DNS-over-TLS resolution plus XOR IP derivation
- All Kimwolf variants resolve C2 domains by speaking **DNS-over-TLS (TCP/853)** directly with Google (8.8.8.8) or Cloudflare (1.1.1.1), defeating plain DNS logging or hijacking.
- v4 bots simply use the returned IPv4 A record. v5 bots treat the A record as a 32-bit integer, swap its endianness, XOR it with the constant `0x00ce0491`, then flip the endianness back to obtain the real C2 IP. CyberChef recipe: Change IP format → swap endianness per 4-byte chunk → XOR with `00 ce 04 91` → convert back to dotted decimal.

### ENS / EtherHiding fallback
- Later builds add an ENS domain (`pawsatyou.eth`) whose resolver text key `"lol"` stores a benign-looking IPv6 (`fed0:5dec:...:1be7:8599`).
- The bot grabs the last four bytes (`1b e7 85 99`), XORs them with `0x93141715`, and interprets the result as an IPv4 C2 (`136.243.146.140`). Updating the ENS text record instantly rotates downstream C2s via the blockchain without touching DNS.

### TLS + ECDSA authenticated command channel
- Traffic is encapsulated in wolfSSL with a custom framed protocol:
```go
struct Header {
Magic [4]byte // e.g. "DPRK", "FD9177FF", "AD216CD4"
Reserved uint8 // 0x01
MsgType uint8 // verb
MsgID uint32
BodyLen uint32
CRC32 uint32
}
```
- Bootstrap: the bot sends two empty `MsgType=0 (register)` headers. The C2 replies with `MsgType=1 (verify)` containing a random challenge plus an ASN.1 DER **ECDSA** signature. Bots verify it against an embedded SubjectPublicKeyInfo blob; failures terminate the session, preventing hijacked/sinkholed C2 nodes from tasking the fleet.
- Once verified, the bot sends a `MsgType=0` body carrying the operator-defined **group string** (e.g. `android-postboot-rt`). If the group is enabled, the C2 responds with `MsgType=2 (confirm)`, after which tasking (MsgType 5–12) begins.
- Supported verbs include SOCKS-style TCP/UDP proxying (residential proxy monetization), reverse shell / single command exec, file read/write, and **Mirai-compatible DDoSBody** payloads (same `AtkType`, `Duration`, `Targets[]`, `Flags[]` layout).

## References

- [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
Expand All @@ -544,5 +594,6 @@ adaptixc2-config-extraction-and-ttps.md
- Android Find My Device (Find Hub) – [google.com/android/find](https://www.google.com/android/find)
- RftRAT/RFTServer technical analysis – [asec.ahnlab.com](https://asec.ahnlab.com/en/59590/)
- HMAC background – [wikipedia.org/wiki/HMAC](https://en.wikipedia.org/wiki/HMAC)
- Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations – [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)

{{#include ../../banners/hacktricks-training.md}}
1 change: 1 addition & 0 deletions src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,4 @@ adb shell ime help
- **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
- **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).

{{#include ../../banners/hacktricks-training.md}}