Unshelling VShell at Scale

VShell is a backdoor written in Golang that is shared across multiple threat actors. It is used widely by intrusion groups, particularly China-nexus actors such as UNC5174. We carried out an in-depth investigation of VShell C2 servers and found that a broad range of information can be obtained from them at scale. For example, by sending a specific magic packet to a VShell C2 server, it is possible to retrieve the raw stageless binary in unobfuscated form. This stageless binary contains hard-coded config data, including the “vkey”. We performed an internet-wide scan for publicly exposed VShell C2 servers, collected stageless binaries, analysed their config data, and explored clustering and attribution.

In this presentation, we first explain what kind of malware VShell is, including its relationship with SNOWLIGHT, and present the results of our detailed malware analysis together with representative cases of abuse. We then describe the structure of the VShell C2 server and show how it communicates with VShell. We also share the contents of the magic packet used to obtain the stageless binary, the results of our detailed analysis of the binary itself, the configuration data embedded in it, and the findings from our analysis of the large volume of config data we collected. In addition, we present deeper analytical results based on information obtained from C2 servers that were operated with default settings. Finally, we propose detection logic for network and endpoint security products to help defend against compromises involving VShell. This logic reflects the detailed internal behaviour of VShell C2 infrastructure revealed by our research.

Through this talk, attendees will gain a detailed understanding of VShell’s capabilities and the characteristics of its C2 servers. They will also learn a research method for uncovering new information useful for attribution. In addition, these findings can be applied directly to defensive practice, including the development of more effective detection logic.

At the start of the talk, we outline what kind of malware VShell is. VShell is a backdoor written in Golang. It was at one point publicly available on GitHub, which helped it become a shared tool used by a wide range of attackers. It is particularly favoured by China-nexus threat groups. We also briefly introduce the groups known to use VShell and present representative examples of their attack workflows. In particular, we focus on recent cases involving UNC5174 and UNC6586.

We then examine the VShell C2 server. We obtained the VShell builder and C2 server binaries and conducted a detailed analysis. Using concrete examples from our data, we explain how VShell payloads are generated by the builder and how they communicate with the C2 server. This gives the audience an accurate view of how VShell operates.

Our investigation of VShell C2 servers also revealed previously unknown findings. For example, when a specific magic packet is sent to a VShell C2 server, it is possible to retrieve a stageless VShell binary. This stageless binary contains config data, including the “vkey”, and that data is not obfuscated, making it straightforward to extract. We used this behaviour to scan the internet at scale, identify VShell C2 servers, retrieve stageless binaries from them, and extract a large volume of config data. Based on the collected config data, we performed clustering and attribution analysis of threat actors using VShell, and we present the results. Some of the stageless binaries we collected had characteristics that differed from the commonly available VShell. We will also show these differences.

In addition, C2 servers running with default settings can expose even more information. This includes data on victim hosts connected to the server. We analysed these data and carried out further in-depth research. We also present the results of that analysis.

Finally, we discuss defensive measures for protecting organisations against VShell-related attacks. Based on our detailed analysis of these C2 servers, we developed improved detection logic that goes beyond what has previously been available. We present detection logic designed for both network security products and endpoint security products.

Through this talk, the audience will gain a detailed understanding of VShell’s capabilities and the characteristics of its C2 servers. They will also learn research methods for uncovering new information that supports attribution. In addition, they will see how these research findings can be applied in practice, including the development of more effective detection logic and other concrete defensive measures.