JPCERT/CC Eyes

From September to December 2024, JPCERT/CC has confirmed incidents involving CrossC2, the extension tool to create Cobalt Strike Beacon for Linux OS. The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD. Further investigation revealed that the attacker used custom malware (hereafter referred to as "ReadNimeLoader") as a loader for Cobalt Strike. Information submitted to VirusTotal suggests that this attack campaign may have been observed across multiple countries, not only in Japan. This article explains CrossC2 and Cobalt Strike, the malware used in the campaign, as well as other tools employed by the attacker. A tool released by JPCERT/CC to support the analysis of CrossC2 is also introduced at the end.

CrossC2

CrossC2 is an unofficial Beacon and builder compatible with Cobalt Strike version 4.1 and above, developed in C language. It is designed to operate on Linux (x86, x64) and macOS (x86, x64, M1) architectures. While the builder is publicly available on GitHub[1], allowing users to create Beacons, the source code for both the builder and the Beacon are not released.

Upon execution, CrossC2 immediately forks itself, and the main processing is carried out in the child process. The C2 information is retrieved from the configuration, while the C2 server host and port number can also be obtained from the environment variables "CCHOST" and "CCPORT". Once executed, CrossC2 is capable of executing various Cobalt Strike commands after establishing communication with the Cobalt Strike TeamServer. However, the range of executable commands is limited compared to the full functionality of standard Cobalt Strike. The Beacon contains the following multiple anti-analysis features:

• String encoding using single-byte XOR
• Insertion of a large amount of junk code

Figure 1 shows a part of the inserted junk code. A significant amount of such code is embedded in key functions. However, the obfuscation can be easily removed by replacing the following byte sequence with NOP instruction.

8B 85 ?? ?? ?? ?? 2D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 00 00 00 00

The configuration data is stored at the end of the file. CrossC2 first retrieves its own file path using the readlink function and then fread its own code. It keeps searching for the string "HOOK" to locate the address of the configuration data. The structure of the configuration is as shown below. The encrypted configuration data can be decrypted using AES128-CBC(no padding). CrossC2 uses OpenSSL library functions to perform the decryption.

0x0: "HOOK" search tag
0x4: Size of the configuration data
0x8: Encrypted configuration data

CrossC2 can create Beacon using legitimate TeamServer extensions. By default, the generated Beacon is packed with UPX, but attempting to unpack it with UPX fails due to the configuration information at the end of the file. To unpack the Beacon successfully, the configuration block must first be removed. After unpacking using UPX, the configuration block needs to be reinserted at the end.

Cobalt Strike

Figure 2 illustrates the flow of Cobalt Strike execution. The process is initiated by a legitimate java.exe file, which is executed from a Task Scheduler job registered by the attacker. This java.exe loads jli.dll through DLL sideloading. The DLL file is ReadNimeLoader, which is written in Nim language. ReadNimeLoader reads a data file named readme.txt from the same directory, decrypts it, and executes its content in memory. This file contains OdinLdr[2], an open-source Shellcode-format loader, which decodes the embedded Cobalt Strike Beacon and executes it in memory. All related files, including ReadNimeLoader, were located under "C:\$recycle.bin\" on the affected system. In addition, some ReadNimeLoader samples were found to contain the following PDB path.

D:\BuildServer\bna-4\work-git\phoenix-repository\phoenix\Release\Battle.net Launcher.exe.pdb

ReadNimeLoader

ReadNimeLoader incorporates the following four anti-analysis techniques:

• Detect debugging by checking BeingDebugged value in PEB
• Detect debugging by checking CONTEXT_DEBUG_REGISTER value
• Measure the difference of elapsed time and proceed to debag checking when the value exceeds 0x512
• Detect debugging by causing an exception and checking whether an exception handler is obtained

A part of the decryption key required to decode OdinLdr is embedded within the functions for the abovementioned anti-analysis techniques. As a result, unless these functions are executed, the correct decryption key is not generated, and OdinLdr cannot be decrypted. In addition to these anti-analysis mechanisms, a large amount of junk code is also inserted. Figure 3 shows a part of the code.

Strings used by ReadNimeLoader are encoded, and they are decoded using two distinct XOR-based decoding functions. Figure 4 shows a portion of each code.

The encoded strings can be decoded using the Python script shown below. In earlier versions of ReadNimeLoader do not contain the decode02 function, indicating that it was added in a later version.

def BYTE1(in_data):
    return (in_data >> 8) & 0xff


def BYTE2(in_data):
    return (in_data >> 16) & 0xff


def BYTE3(in_data):
    return (in_data >> 24) & 0xff


def decode02(enc_bytes, xor_key):
    result = []
    for enc_byte in enc_bytes:
        enc_byte ^= BYTE3(xor_key) & 0xEE ^ BYTE2(xor_key) & 0xEE ^ (xor_key ^ BYTE1(xor_key)) & 0xEE
        result.append(i)
        enc_byte += 1
    return result


def decode01(enc_bytes, xor_key):
    xor_table = [ 0, 8, 0x10, 0x18]
    result = []
    for enc_byte in enc_bytes:
        for j in range(4):
            enc_byte ^= ((xor_key >> xor_table[j]) & 0xEE)
        result.append(i)
    return result

ReadNimeLoader uses AES256-ECB mode to decrypt the malware payload. The key is created by combining specific strings decoded by the aforementioned decoding functions, which is then converted into hexadecimal format, transformed to uppercase, and zero-padded. This decryption can be performed using the following Python script:

from Crypto.Cipher import AES
import binascii

def ZeroPadding(hexstr, num):
    padding_num = num - len(hexstr)
    if padding_num < 0:
        return hexstr
    return  hexstr + b"\x00" * padding_num


def decrypt(readme_data, key_string):
    capitalized_key = binascii.hexlify(ascii_to_bytes(key_string)).upper()
    key = ZeroPadding(capitalized_key, 32)
    Cipher = AES.new(key, AES.MODE_ECB)
    return Cipher.decrypt(readme_data)

OdinLdr

After execution, OdinLdr decrypts the internally encoded Cobalt Strike Beacon and runs it in memory. To avoid detection, the Beacon is periodically re-encrypted using a randomly generated XOR key and stored in newly allocated heap memory. It is a distinctive characteristic that there is the string "OdinLdr1337" at the beginning of the heap memory. Additionally, it has been confirmed that there are two types of Shellcode deployed by ReadNimeLoader: some samples execute the Cobalt Strike Beacon through OdinLdr, while others run the Beacon directly. Appendix B outlines the relations between ReadNimeLoader versions and their corresponding decryption keys, the specific readme.txt files loaded, and the encoded malware payloads. A part of the Cobalt Strike configuration used is included in the appendix.

Tools used by the attacker

Among the tools used by the attacker, multiple ELF versions of SystemBC were identified. For more information on the differences from the Windows version of SystemBC, please refer to the report by ANY.RUN [3]. Other confirmed tools include PsExec, commonly used for lateral movement; GetNPUsers [4], often leveraged in AS-REP Roasting attacks; Plink, an SSH client tool; and privilege escalation tools for Windows systems.

Attribution

Despite architectural differences, confirmed identical characteristics suggest that this attacker and the attack campaign have a potential connection to BlackBasta. More specifically, the domain confirmed to be used for the C2 in this campaign matches the one listed in Rapid7’s report on BlackBasta [5]. Further similarities include the use of the files named jli.dll and readme.txt. Additionally, SystemBC was leveraged, and when attacking AD, AS-REP was also used.

Tools for analyzing CrossC2

As an analysis tools for CrossC2, a configuration parser is publicly available on JPCERT/CC’s GitHub.

GitHub: JPCERTCC/aa-tools/parse_crossc2beacon_config.py
https://github.com/JPCERTCC/aa-tools/blob/master/parse_crossc2beacon_config.py

CrossC2 can generate binaries for macOS, not only for Linux, and this parser is designed to support macOS binaries as well. Figure 5 shows a sample output from running the configuration parser.

In Closing

While there are numerous incidents involving Cobalt Strike, this article focused on the particular case in which CrossC2, a tool that extends Cobalt Strike Beacon functionality to multiple platforms, was used in attacks, compromising Linux servers within an internal network. Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus more attention is required. We hope the information provided in this article will be useful to you in incident response and malware analysis. For details on confirmed C2 servers and malware hash values, please refer to the Appendix.

Yuma Masubuchi (Translated by Takumi Nakano)

References

[1] CrossC2
https://github.com/gloxec/CrossC2

[2] OdinLdr
https://github.com/emdnaia/OdinLdr

[3] ANY.RUN
A new SystemBC RAT is targeting Linux-based platforms
https://x.com/anyrun_app/status/1884207667058463188

[4] GetNPUsers.py
https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py

[5] Rapid7
BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict
https://www.rapid7.com/blog/post/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict/

Appendix A: Example of CrossC2 configuration

C2: 162.33.179[.]247:8443
PUBLICKEY: 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaW
34Iv7znqVuomjiJn4Yr1ck9YSWylfAoiy20DnR0ab
CoHtdPK3L05CgOjnLGSfM5Vji0IRd8xtCGpU699Jt
FCa/Jg7zmuejilkKTFpMB36+49UQtaYp4KjFuImRC
z72NdzszsLzHDlVWAPmn5CSTfsTIzceomQfmCDY//
IygzQIDAQAB
-----END PUBLIC KEY-----

Appendix B: The relations between ReadNimeLoader and malware payloads

Table 1: The relations between ReadNimeLoader and malware payloads

Appendix C: Example of Cobalt Strike configuration

BeaconType                       - HTTPS
Port                             - 443
SleepTime                        - 30000
MaxGetSize                       - 2097328
Jitter                           - 40
MaxDNS                           - Not Found
PublicKey_MD5                    - d67a7903c6777d64b69845b6fcd5db65
C2Server                         - 64.95.10[.]209,/Collector/2.0/settings/,179.60.149[.]209,/Collector/2.0/settings/,64.52.80[.]62,/Collector/2.0/settings/
UserAgent                        - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.4.00.2879 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36
HttpPostUri                      - /MkuiIJzM2IZs
Malleable_C2_Instructions        - Remove 46 bytes from the end
                                   Remove 130 bytes from the beginning
                                   NetBIOS decode 'a'
HttpGet_Metadata                 - ConstHeaders
                                        Accept: json
                                        Host: westeurope-teams.azureedge.net
                                        Referer: https://teams.microsoft.com/_
                                        x-ms-session-id: f73c3186-057a-d996-3b63-b6e5de6ef20c
                                        x-ms-client-type: desktop
                                        x-mx-client-version: 27/1.0.0.2021020410
                                        Accept-Encoding: gzip, deflate, br
                                        Origin: https://teams.microsoft.com
                                   ConstParams
                                        qsp=true
                                        client-id=NO_AUTH
                                        sdk-version=ACT-Web-JS-2.5.0&
                                   Metadata
                                        base64url
                                        parameter "events"
HttpPost_Metadata                - ConstHeaders
                                        Connection: Keep-Alive
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                   SessionId
                                        base64url
                                        parameter "id"
                                   Output
                                        base64url
                                        print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       -
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                      - %windir%\syswow64\powercfg.exe
Spawnto_x64                      - %windir%\sysnative\powercfg.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark_Hash                   - NtZOV6JzDr9QkEnX6bobPg==
Watermark                        - 987654321
bStageCleanup                    - True
bCFGCaution                      - True
KillDate                         - 0
bProcInject_StartRWX             - True
bProcInject_UseRWX               - False
bProcInject_MinAllocSize         - 8096
ProcInject_PrependAppend_x86     - Empty
ProcInject_PrependAppend_x64     - Empty
ProcInject_Execute               - ntdll.dll:RtlUserThreadStart
                                   NtQueueApcThread-s
                                   SetThreadContext
                                   CreateRemoteThread
                                   kernel32.dll:LoadLibraryA
                                   RtlCreateUserThread
ProcInject_AllocationMethod      - VirtualAllocEx
bUsesCookies                     - False
HostHeader                       -
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - round-robin
DNS_strategy_rotate_seconds      - -1
DNS_strategy_fail_x              - -1
DNS_strategy_fail_seconds        - -1
Retry_Max_Attempts               - 0
Retry_Increase_Attempts          - 0
Retry_Duration                   - 0

Appendix D: Network

• 64.52.80[.]62:443
• 64.95.10[.]209:443
• 67.217.228[.]55:443
• 137.184.155[.]92:443
• 159.65.241[.]37:443
• 162.33.179[.]247:8443
• 165.227.113[.]183:443
• 179.60.149[.]209:443
• 192.241.190[.]181:443
• api.glazeceramics[.]com:443
• doc.docu-duplicator[.]com:53
• doc2.docu-duplicator[.]com:53
• comdoc1.docu-duplicator[.]com:53

Appendix E: Malware

Table 2: List of malware and tools