Architecture
The following diagrams show how things work in NorthStar C2 and how the NorthStar Stager interacts with C2.
The stager registration process consists of 2 phases;
First phase:
- NorthStar Stager sends an unique id value to login.php with HTTP POST method. This value is XORed with a hard-coded key and is in base64 format.
- The C2 Server decrypts this value and checks if the unique id starts with a "N", ends with a "q" and is less than 20 characters.If everything checks out, the value is registered into the C2 database.
- A second XOR key, which will be used for communications, is transferred from NorthStar C2 Server to NorthStar Stager.
- NorthStar Stager receives and registers the XOR key.
Second phase:
- NorthStar Stager sends a HTTP POST request to /update.php. This request contains information about the victim machine including hostname, username, user privileges and working directory.The data sent is encrypted with the XOR key taken in the previous phase and is in base64 format.
- NorthStar C2 server decrypts the incoming data, checks the id value and saves the information on the database and returns "HTTP 200 OK" response to the NorthStar Stager.
- NorthStar Stager receives the response and registration is complete.
- User issues a command to the NorthStar Stager from C2 server by sending a HTTP POST request to /interact.php
- Stager receives the command from /smanage.php
- Stager sends the output of the command to /smanage.php
- The command output is inserted into the database on the server side
- Command output can be seen in interact.php
- In each new command, the output of the old command is deleted from the database.
