Ces_x64frev Now

# Elastic query – detect unusual DNS TXT lookups event.category:network AND dns.question.type:TXT AND dns.question.name:"payload.*.domain.tld"

The first public samples appeared on VirusTotal in , flagged by multiple AV engines as a Trojan with a Cobalt Strike ‑like behavior. Since then, threat‑intelligence platforms (MISP, Abuse.ch, Anomali) have recorded a steady increase in sightings, especially in the Financial Services , Healthcare , and Manufacturing sectors in North America and Europe. 3. Technical Overview 3.1 PE Characteristics | Feature | Details | |---------|---------| | Compilation | Microsoft Visual C++ 2019, /O2 optimization, /MT static runtime | | Exported functions | WinMain , LoadPayload , SetPersistence , SendBeacon | | Import table | kernel32.dll , advapi32.dll , ws2_32.dll , urlmon.dll , crypt32.dll | | Anti‑analysis tricks | • Checks for debugger presence ( IsDebuggerPresent ) • Uses NtQueryInformationProcess to detect sandbox VM (checks for VMware, VirtualBox, Hyper‑V) • Employs XOR‑based string obfuscation and runtime decryption | | Payload delivery | Encrypted (AES‑256‑CBC) payload embedded in a resource section ( RT_RCDATA ). The key is derived at runtime from a combination of the host’s hardware GUID and a hard‑coded secret. | | Execution flow | 1. Self‑validation (integrity checksum). 2. Persistence set‑up (registry / scheduled task). 3. C2 contact (HTTPS GET to a domain generated from the host’s MAC address). 4. Payload decryption & injection (CreateRemoteThread into a legitimate system process, e.g., svchost.exe ). | 3.2 Persistence Mechanisms | Mechanism | Registry / Task | Details | |-----------|----------------|---------| | Run key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CesService | Points to %APPDATA%\Microsoft\Windows\Start Menu\Programs\ces_x64frev.exe (renamed to a legitimate‑looking name such as system32.dll ) | | Scheduled task | \Microsoft\Windows\UpdateOrchestrator\CesUpdater | Triggers at logon and daily at 03:00 AM | | Windows Service | Service name CesService (display name “Microsoft Compatibility Engine”) | Binary path points to the same executable, set to auto‑start . | 3.3 Network Communication | Protocol | Destination | Observed Patterns | |----------|-------------|-------------------| | HTTPS (TLS 1.2) | *.cloudfront.net , *.akamaihd.net , and custom domains ( a1b2c3d4[.]com ) | Encrypted beacon containing system info, installed software list, and a short‑lived crypto‑nonce. | | DNS (TXT queries) | payload.[random].domain.tld | Used when the primary C2 is unreachable; the TXT record holds a Base64‑encoded secondary payload. | | SMB (internal) | \\192.168.*.*\share | Rarely used for lateral movement; copies the loader to other hosts on the same subnet. | 4. ATT&CK Mapping & Attack Flow Below is a high‑level kill‑chain that shows where ces_x64frev sits within an adversary’s campaign: ces_x64frev

Initial Access → Phishing (T1566.001) Execution → Command‑line (T1059) / Rundll32 (T1085) → ces_x64frev.exe Persistence → Registry Run Keys (T1547.001) / Scheduled Task (T1053.005) Privilege Escalation → Exploit Public‑Facing Application (T1190) – optional Defense Evasion → Obfuscated Files/Information (T1027) Credential Access → OS Credential Dumping (T1003) – via secondary modules Lateral Movement → SMB/Windows Admin Shares (T1021.002) Command & Control → Web Protocols (T1071.001) / DNS (T1071.004) Impact → Deploy Ransomware or Data Exfiltration (T1486 / T1041) The loader itself focuses on and retrieving additional payloads . The actual “impact” (ransomware, data theft, etc.) is determined by the second stage delivered after the C2 handshake. 5. Detection & Hunting 5.1 Static Indicators | Indicator | Example | |-----------|---------| | File hash (SHA‑256) | 9BFA7C4D3E2A1F6D8C9E2F3B5A6D7E8F9C0B1A2D3E4F5A6B7C8D9E0F1A2B3C4D | | File size | 120 KB ± 5 KB | | PE timestamp | “2024‑02‑15 08:23:11 UTC” (common across many samples) | | Embedded resource name | RSRC001 (type RT_RCDATA ) | | Default install path | %APPDATA%\Microsoft\Windows\Start Menu\Programs\system32.dll | | Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CesService | 5.2 Behavioral Indicators | Behavior | Description | |----------|-------------| | Outbound HTTPS to newly‑registered domains | Domains often have < 30 days of age, use fastly/akamai CDN, and contain random subdomains. | | Creation of a Windows Service named “CesService” | Service binary points to a non‑standard location (AppData) and is set to auto‑start . | | Process injection into svchost.exe or explorer.exe | Detect via CreateRemoteThread or NtCreateThreadEx calls originating from a low‑privilege process. | | DNS TXT query for payload.*.domain.tld | Unusual use of DNS TXT for data transfer. | | Self‑deletion after successful C2 contact | The executable may delete its own file and clear registry entries to reduce forensic footprint. | 5.3 SIEM / EDR Rules (Sample) # Splunk query – look for new services named CesService index=windows EventCode=7045 Service_Name=CesService | stats count by host, _time, Service_Name, ImagePath # Elastic query – detect unusual DNS TXT lookups event