Hide it like you stole it

I like to examine creative ways of doing things. Often times I will look at a malware example and enjoy how they accomplish some of the nasty things. The latest example of this involves how a crypto mining bot and their script running on a postgres box. This was found in the impreva blog talking about the exploit.https://www.imperva.com/blog/2018/03/deep-dive-database-attacks-scarlett-johanssons-picture-used-for-crypto-mining-on-postgre-database/

This is leveraging a command called dd and then using how images are rendered/checked on upload. It can also be thought of as “Poor mans steganography.” Lets say that we want to hide a shell script or a series of commands. We can hide this at the end of an image file. Image processors will read a file top to bottom. This allows us to simply append what we want to the end of a file and then using dd copy that bit of data off the end and in to a separate file when we want to run it. Jibberish you say, lets take a look.First I borrowed a gif from NPR but I tossed it into my github so I can not throw redirects to NPR, call it courtesy. I will use curl to pull that file down and output it

curl https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif -o dumpster-fire.gif

The direct link is here https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif This will render a nice little animated gif no big deal. The next step will be in my terminal I will do a simple shell script to print some text.

echo “echo \”hello $(whoami) welcome to the fire\””>>script.sh; chmod +x script.sh; ./script.sh```

Echo out a script directly into another file and then set that file to be executable and then run that script. A super redundant way to run a command, but hang with me. The next step is to look at our gif and establish the original size. Here is the ls -l of that file the curl command downloaded.

$ ls -l dumpster-fire.gif-rw-r — r — 1 myuser staff 1690953 Mar 19 19:44 dumpster-fire.gif

The number 1690953 is the important bit for reassembling later. Now to combine part one and two.

curl https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif -o dumpster-fire.gif; echo “echo \”hello $(whoami) welcome to the fire\”>>dumpster-fire.gif;

and The following ls -l puts it as a bigger file

$ ls -l dumpster-fire-rw-r — r — 1 myuser staff 1691010 Mar 19 19:44 dumpster-fire.gif

If we do a tail on the gif we will see binary data and then our appended text. Next, if we preview the gif it will still render and even animate because browsers are dumb and read the file top to bottom and never encounter an error.

If we were to download that modified gif we can then extract the script from the end of the file and run it. This magic can be done with dd and the offset that we saved earlier.

dd skip=1690953 bs=1 if=dumpster-fire.gif of=temp.sh;

If we combine that with the execute stuff we can get it to run right after creation.

dd skip=1690953 bs=1 if=dumpster-fire.gif of=temp.sh; chmod +x temp.sh; ./temp.sh

And boom now we have stashed a script file at the end of a image file and tear them apart run some nasty stuff. Lets hide it a little bit. So that if someone were to run a tail on the image file it would at least not be in plain text. We can accomplish that simply with a base64 encode/decode. I am not going to go through everything again but instead of directly writing the echo of the script file to the image we will first pipe it through base64 on the file save and then during the reassembly segment we will run it back through the decode to get the bash script.

curl https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif -o dumpster-fire.gif; echo “file downloaded, moving onto encoding”; echo echo \”hello $(whoami) welcome to the fire\”|base64 >>dumpster-fire.gif; echo “file encoded and appended lets reassemble”; dd skip=1690953 bs=1 if=dumpster-fire.gif of=temp.sh; base64 --decode temp.sh >> hello.sh ; chmod +x hello.sh; ./hello.sh

Now the script is at least concealed a little bit, and can’t be found with strings. We can take this one step further and if we wanted to store an encrypted volume at the end of a file. We could use truecrypt to create a file container and then cat that container to the end of the image and instead of launching the script.Then simply take the encrypted container and load it in true crypt. A nice way to stash something somewhere and transport it in the clear where only you would have the keys to unlock that container. Sometimes criminals have creative ways to do things, and it doesn’t hurt to understand how they do it. The more you know, and knowing is half the battle.