fsociety DLL is an injector that Blind Eagle has used in operations1,2. fsociety is a single program written in C# that leverages process hollowing to inject a payload into another program - usually RegSvcs.exe or RegAsm.exe. The original source code has been rewritten in a de-obfuscated fasion for readability3. The de-obfuscated code shares many similarities with the Lime-Crypter implementation of RunPE, however the threat actor has added some wrappers for windows APIs in addition to importing them.
fsociety is downloaded and ran by fiber.dll
as part of the infection chain. prior to running, fsociety.dll
is manipulated by the threat actor to be base64 encoded, have all A
s replaced with a Unicode string, and then reversed. The utility file-ops.py
has been created in the Util folder to assist in replicating the obfuscation of the binary for delivery.
Windows:
py.exe ./file-ops.py -f path\to\repo\birdsofprey\Resources\Efsociety\Efsociety\bin\Release\Efsociety.dll
Linux/Mac:
python3 ./file-ops.py -f path/to/repobirdsofprey/Resources/Efsociety/Efsociety/bin/Release/Efsociety.dll
Sometimes injection does not work on the first try and an implant will not succeed. If this happens verify that the target path exists: C:\Windows\Microsoft.NET\Framework\v4.0.3819\RegSvcs.exe
and that the PE being injected is set up in the proper format with file-ops.py
To verify that fsociety.dll
is injecting properly it can be tested from a PowerShell prompt with either an AsyncRAT payload OR another payload of your choosing. To do this first follow the instructions in AsyncRAT README to build the server and create a client with instructions in AsyncRAT Client README.
Once the server is running you can use the following PowerShell to test fsociety.dll
filling in the paths with ones specific to your system:
$assembly = [Reflection.Assembly]::LoadFile("c:\path\to\repo\birdsofprey\Resources\Efsociety\Efsociety\bin\Release\Efsociety.dll")
$bytes = [System.IO.File]::ReadAllBytes("c:\path\to\payload\AsyncRAT-Client.exe")
[fsociety.Tools]::Ande("C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", $bytes)
If successful you should receive a callback from the AsyncRAT client on the server and when hovering the mouse over the client see that the Path values is C:\Windows\Microsoft.NET\Framwork\v4.0.3819\RegSvcs.exe
indicating that AsyncClient is living in the legitimate RegSvcs.exe process:
Likewise a tool such as Process Hacker will show the AsyncClient assembly loaded into RegSvcs.exe with the path showing the path to RegSvcs.exe:
Likewise if you look at the modules and method tables associated with the legitimate RegSvcs.exe and the injected RegSvcs.exe you can spot many differences - including the Image Size and Resource Tables information. The method tables are completely different for the injected RegSvcs.exe vs the legitimate version
Normal RegSvcs.exe modules
Injected RegSvcs.exe modules
Normal RegSvcs.exe Method Table
Injected RegSvcs.exe Method Table
Two build options are presented. The CLI can be used with devenv.exe to build the fsociety.sln
solution. Also instructions for the Visual Studio GUI are also included:
PS C:\<path>\<to>\birdsofprey\Resources\Efsociety> 'C:\Program Files | [x86]\Microsoft Visual Studio\<version>\<Professional|blank>\Common7\IDE\devenv.exe' fsociety.sln /Build "Release"
-
Open Solution in Visual Studio - this option is presented upon Visual Studio opening
-
In the menu bar near the top of the window, change the dropdown from Debug to Release - this will build and remove any debugging assistance from the project:
-
In the menu bar at the top of the window, select Build -> Build Solution. The completed executables will be located in
birdsofprey\Resources\Efsociety\bin\Release