PackMyPayload - Emerging Threat of Containerized Malware

Overview

PackMyPayload - Emerging Threat of Containerized Malware

This tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve purpose for a Proof-of-Concept presenting emerging risk of container file formats with embedded malware, as well as helper for professional Red Team Operators to sharpen their Initial Access maneuvers.

Currently Threat Actors are known to smuggle their malware archived in various container file formats, to name a few:

  • 7zip
  • zip
  • ISO
  • IMG

They do that to get their payloads pass file content scanners, but more importantly to avoid having Mark-Of-The-Web flag on their files. There're various motives on why adversaries don't want MOTW on their files: Protected View in Microsoft Office was always among them.

Should they provide container file to their victims, a foundation for disabling VBA macros in Internet-originated Office documents might be bypassed.

Background

On Feb, 7th Microsoft announced default configuration change to block VBA macros originating from Internet. This is an incredible step towards hardening the baseline configuration of User's workstation and the client software installed within. Arguably overdue, yet an important step dramatically affecting in a positive way typical Windows+Office installation setups.

The implemented behavior is explained to work by differentating macro-enabled Office documents based on the MOTW (Mark of the Web) flag. That flag acts as a tainted label available for software clients (browsers, mail clients, file archivers, etc) to mark files originating from untrusted areas like The Internet.

Outflank shed more light on MOTW, back in 2020 by indicating areas where MOTW flag is not uniformly propagated. These areas serve defense gap role and are commonly abused by threat actors since years by now.

Their research disclosed, that some container file formats - namely ISO, VHD/VHDX - do not propagate MOTW taint flag onto inner files upon auto-mount or auto-extraction. Moreover, Windows 8+ is able to open these formats automatically upon double-click, making them notorius infection carriers, possibly devaluing MOTW in its security measure role.

Demo - How Threat Actors Evade MOTW and Smuggle Macros

Lets present how Mark of the Web flag looks like in practice:

1. Download a regular file using your Browser

1.gif

After downloading a file, right click on it and review its properties.

You'll see a message prompting to Unblock the file, because it originates from an untrusted zone.:

motw

That information is stored in NTFS ADS (Alternate Data Stream) named Zone.Identifier which looks as follows:

zone-identifier

The ZoneId=3 plays the role of marking file tainted.

2. Pack that file into ISO

Using PackMyPayload.py emplace the file into an ISO Joliet disk easily with a command:

PS> py PackMyPayload.py 7z2107-x64.exe 7z2107-x64.iso

2.gif

3. Serve the file with Simple HTTP Server, download, open ISO, review MOTW

Having created ISO file, mimic a HTTP server using Python:

PS> py -m http.server 80

and then download the ISO file using your Browser.

3.gif

When you review Properties of that ISO file, you'll see its marked with MOTW flag.

marked

However, the inner 7zip installer EXE file is not MOTW-marked!

not-marked


Rationale

Using the occassion that Industry's eyes are turned on Microsoft's brave decision to block VBA Macros, we, professional Security Researchers taking the utmost consideration on increasing World's technologies resielience against their misuse, want to add following insight into current Threat Actor TTPs:

Threat Actors are well aware of the impact MOTW has on their phishing payloads. They've adapted long time ago and are now smuggling their malicious programs inside of containers. Among the most commonly observed ones we can highlight are ISO, IMG, CAB.

I am now releasing this tool to increase the momentum built on Microsoft's stand and to help intensify discussions on these evasion avenues.

It is advised to contain (and/or block) files having above listed extensions whenever they originate from untrusted zones & wherever applicable:

  • Web Proxies
  • Mail Scanning engines
  • Endpoint protection agents - EDRs, XDRs, AVs
  • File upload forms & functionalities

The tool released will hopefully enable more Red Teams to simulate discussed risks and help them identify detection gaps within their Partners defenses more easily.


Features

This script offers following treats & goodies:

  • Packages input file or directory into output container
  • Can backdoor existing containers or create new ones.
  • Provides password encryption for supported formats

Formats supported:

Format Strips MOTW? Off the shelf Windows support? Elevation required? Remarks
Zip No Yes No
7zip Partially No No MOTW stripped only on manual files extraction
ISO Yes Yes No
IMG Yes Yes No
PDF ? Yes No Depends on Javascript support in PDF reader
CAB No Yes No Requires few additional clicks on victim-side
VHD Yes Yes Yes This script currently can't make directories
VHDX Yes Yes Yes This script currently can't make directories

Installation

  • Clone this repository
  • Install requirements:
cmd> pip3 install -r requirements.txt

Sample use

  1. Pack a directory with files into ISO:
PS> py PackMyPayload.py C:\my\dir malicious.iso -v

+      o     +              o   +      o     +              o
    +             o     +           +             o     +         +
    o  +           +        +           o  +           +          o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
   :: PACK MY PAYLOAD (1.0.0)       -_-_-_-_-_-_-|   /\_/\
   for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
+      o         o   +       o       +      o         o   +       o
+      o            +      o    ~   Mariusz Banach / mgeeky    o
o      ~     +           ~          
   
    
    o           +                         o           +           +

[.] Packaging input file to output .iso (iso)...
Burning files onto ISO:
    Adding file: //malicious.lnk
    Adding file: //malicious.docm
[INFO] [+] File packaged into ISO.
[INFO] Successfully packed input file.

[+] Generated file written to (size: 69632): malicious.iso

   
  1. To pack files into VHD/VHDX one must run this script on Windows from an elevated user context (e.g. Local Administrator). This is due to DISKPART requiring Admin access to physical devices objects/namespace. Best experience one gets by running the script on Windows Terminal (wt) or ConEmu as they support ANSI colors. Otherwise, should an output look bad, disable those colors with -N flag:
PS> py PackMyPayload.py .\evil.lnk .\evil.vhd -v -N

+      o     +              o   +      o     +              o
    +             o     +           +             o     +         +
    o  +           +        +           o  +           +          o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
   :: PACK MY PAYLOAD (1.0.0)       -_-_-_-_-_-_-|   /\_/\
   for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
+      o         o   +       o       +      o         o   +       o
+      o            +      o    ~   Mariusz Banach / mgeeky    o
o      ~     +           ~          
   
    
    o           +                         o           +           +

[.] Packaging input file to output .vhd (vhd)...
[INFO] Drive letters currently occupied:
    X
    C
    Z
    D
[INFO] Will create VHD of size:    1024MB (Dynamic)
[INFO] Will assign VHD letter :    V:
[INFO] Will format VHD with   :    FAT32
[INFO] Creating VHD file...
[+] Created & mounted VHD file on V:\
[.] Packing files into created VHD...
[INFO] Packaged file:
[INFO]     evil.lnk => V:\
[.] Detaching VHD file...
[+] Detached VHD file from V:\
[INFO] [+] File packaged into VHD.
[INFO] Successfully packed input file.

[+] Generated file written to (size: 6311936): evil.vhd

   

Full usage

+      o     +              o   +      o     +              o
    +             o     +           +             o     +         +
    o  +           +        +           o  +           +          o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
   :: PACK MY PAYLOAD (1.0.0)       -_-_-_-_-_-_-|   /\_/\
   for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
+      o         o   +       o       +      o         o   +       o
+      o            +      o    ~   Mariusz Banach / mgeeky    o
o      ~     +           ~          
   
    
    o           +                         o           +           +

Usage: ./package.py [options] 
     
     
      

options:
  -h, --help            show this help message and exit

Required arguments:
  infile                Input file/directory to be packaged into output archive/container
  outfile               Output file with extension pointing at output format

Options:
  -v, --verbose         Verbose mode.
  -d, --debug           Debug mode.
  -N, --nocolor         Dont use colors in text output.
  -i BACKDOOR, --backdoor BACKDOOR
                        Instead of generating blank new output container/archive, will backdoor existing input one.
  -n NAME, --filename NAME
                        Package input file into archive/container under this filename (may contain relative path).
  -p PASSWORD, --password PASSWORD
                        If output archive/container format supports password protection, use this password to protect output file.
  --out-format {zip,7z,iso,img,cab,pdf,vhd,vhdx}
                        Explicitely define output format disregarding output file's extension. Can be one of following: zip, 7z, iso, img, cab, pdf, vhd,
                        vhdx

VHD specific options:
  --vhd-size SIZE       VHD dynamic size in MB. Default: 1024
  --vhd-letter LETTER   Drive letter where to mount VHD drive. Default: will pick unused one at random.
  --vhd-filesystem FS   Filesystem to be used while formatting VHD. Default: FAT32. Supported: fat, fat32, ntfs

=====================================================

Supported container/archive formats:

        - zip
        - 7z
        - iso
        - img
        - cab
        - pdf
        - vhd
        - vhdx

=====================================================

     
    
   

Known Issues

  • Can't create directories while copying files onto VHD/VHDX mounted volumes.

TODO

  • Add support for MSI files

  • Consider adding support to other egzotic archive formats (not really coping with MOTW or supported off the shelve by Windows):

    • tar
    • cpio
    • pax
    • xar
    • ar
    • mtree
    • shar
    • tar
    • cpgz
    • uu
    • lha
  • WinZip Pro also supports extraction of following formats - maybe worth adding them too:

    • B64, BHX, BZ, BZ2, GZ, HQX, LHA, LZH, MIM, TAZ, TBZ,
    • TBZ2, TGZ, TXZ, TZ, UU, UUE, VMDK, XXE, XZ, Z, ZIPX,

Trivia

I kindly ask you to read following line out loud and as fast as you can in front of a mirror:

py Pack My Payload dot py

Some say the spell summons ancient DAEMON and Sheeps ( ͡~ ͜ʖ ͡°)


Show Support

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪


Mariusz Banach / mgeeky, (@mariuszbit)

   

   
You might also like...
APT-Hunter is Threat Hunting tool for windows event logs

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。
Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

0x00 介绍 tig Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率,目前已集成微步、IP 域名反查、Fofa 信息收集、ICP 备案查询、IP 存活检测五个模块,现已支持以下信息的查询: ✅ 微步标签 ✅ I

Kestrel Threat Hunting Language
Kestrel Threat Hunting Language

Kestrel Threat Hunting Language What is Kestrel? Why we need it? How to hunt with XDR support? What is the science behind it? You can find all the ans

An advanced real time threat intelligence framework to identify threats and malicious web traffic on the basis of IP reputation and historical data.
An advanced real time threat intelligence framework to identify threats and malicious web traffic on the basis of IP reputation and historical data.

ARTIF is a new advanced real time threat intelligence framework built that adds another abstraction layer on the top of MISP to identify threats and malicious web traffic on the basis of IP reputation and historical data. It also performs automatic enrichment and threat scoring by collecting, processing and correlating observables based on different factors.

A Pythonic framework for threat modeling
A Pythonic framework for threat modeling

pytm: A Pythonic framework for threat modeling Introduction Traditional threat modeling too often comes late to the party, or sometimes not at all. In

Agile Threat Modeling Toolkit

Threagile is an open-source toolkit for agile threat modeling:

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

Threat Intel Platform for T-POTs

GreedyBear The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to p

Threat Intel Platform for T-POTs
Threat Intel Platform for T-POTs

T-Pot 20.06 runs on Debian (Stable), is based heavily on docker, docker-compose

Various capabilities for static malware analysis.

Malchive The malchive serves as a compendium for a variety of capabilities mainly pertaining to malware analysis, such as scripts supporting day to da

A small utility to deal with malware embedded hashes.
A small utility to deal with malware embedded hashes.

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as: Dyn

Bitcoin Clipper malware made in Python.
Bitcoin Clipper malware made in Python.

a BTC Clipper or a "Bitcoin Clipper" is a type of malware designed to target cryptocurrency transactions.

Sentello is python script that simulates the anti-evasion and anti-analysis techniques used by malware.
Sentello is python script that simulates the anti-evasion and anti-analysis techniques used by malware.

sentello Sentello is a python script that simulates the anti-evasion and anti-analysis techniques used by malware. For techniques that are difficult t

Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

A Modular MWDB Utility to Collect Fresh Malware Samples

MWDB Feeds A Modular MWDB Utility to Collect Fresh Malware Samples This project is FREE as in FREE 🍺 , use it commercially, privately or however you

Android Malware Behavior Deleter
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE 🍺 , use it commercial

Comments
  • The command to inject payload into a existing ISO file.

    The command to inject payload into a existing ISO file.

    Can you please show me an example of the command to inject payload into an existing ISO file instead of creating a new file. I have tried multiple ways but none of them work.

    opened by hackercoolmagz 4
  • Add hide flag for creating ISO payload

    Add hide flag for creating ISO payload

    First of all, thank you for the tool! Found it through your Warcon22 presentation which was also excellent.

    I'm also aware this implementation is not the best, so feel free to reject the PR and implement it your way.

    Problem

    Currently, PMP doesn't support hidden attributes in files when creating an ISO payload.

    PS C:\pmptest> echo "a" > a
    PS C:\pmptest> echo "b" > b
    PS C:\pmptest> attrib.exe +h a
    
    PS C:\dev\PackMyPayload> python .\PackMyPayload.py C:\pmptest\ C:\pmptest\out.iso --out-format iso
    

    After mounting out.iso, we find that both a and b are shown and the h hidden attribute is not there. This indicates that the hidden attribute we had on a was not applied.

    PS C:\pmptest> cd g:\
    PS G:\> ls
    
    
        Directory: G:\
    
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    --r---         7/13/2022  10:37 PM              8 a
    --r---         7/13/2022  10:37 PM              8 b
    

    ================================================

    Solution(?)

    I couldn't find a way to add files through PyCdlib that will keep the file attribute. Instead, I found that there's a set_hidden function that will hide specific files inside the ISO.

    With the --hide flag, we can now set the hidden attribute in the files within the ISO payload.

    PS C:\pmptest> echo "a" > a
    PS C:\pmptest> echo "b" > b
    PS C:\dev\PackMyPayload> python .\PackMyPayload.py C:\pmptest\ C:\pmptest\out.iso --out-format iso --hide a
    PS C:\dev\PackMyPayload> Mount-DiskImage C:\pmptest\out.iso
    
    PS e:\> ls
    
        Directory: e:\
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    --r---         7/13/2022  10:59 PM              8 b
    
    PS e:\> ls -Force
    
        Directory: e:\
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    --rh--         7/13/2022  10:59 PM              8 a
    --r---         7/13/2022  10:59 PM              8 b
    

    The same goes for the --backdoor flag.

    PS C:\pmptest> echo "c" > c
    PS C:\dev\PackMyPayload> python .\PackMyPayload.py C:\pmptest\c C:\pmptest\out-backdoor.iso -i C:\pmptest\out.iso --hide a,c
    PS C:\dev\PackMyPayload> Mount-DiskImage C:\pmptest\out-backdoor.iso
    
    PS G:\> ls
    
        Directory: G:\
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    --r---         7/13/2022  11:04 PM              8 b
    
    
    PS G:\> ls -Force
    
        Directory: G:\
    
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    --rh--         7/13/2022  11:04 PM              8 a
    --r---         7/13/2022  11:04 PM              8 b
    --rh--         7/13/2022  11:04 PM              8 c
    
    opened by ChoiSG 2
  • Fix error when no files are hidden

    Fix error when no files are hidden

    When no files are hidden and the output format is iso, the tool exits with an error:

    [ERROR] Could not package input file into ISO! Exception: 'Packager' object has no attribute 'hide'
    Traceback (most recent call last):
      File "/home/daniel/tools/PackMyPayload/PackMyPayload.py", line 130, in <module>
        main(sys.argv)
      File "/home/daniel/tools/PackMyPayload/PackMyPayload.py", line 122, in main
        if not packager.package(args.infile, args.outfile, outputFormat):
      File "/home/daniel/tools/PackMyPayload/lib/packager.py", line 255, in package
        output = self.packIntoISO(infile, outfile)
      File "/home/daniel/tools/PackMyPayload/lib/packager.py", line 917, in packIntoISO
        if self.hide != '': 
    AttributeError: 'Packager' object has no attribute 'hide'
    

    This is the case, because self.hide is never set to a default when not used in the cli parameters. This PR fixes the error by setting the default self.hide to an empty string.

    opened by dhauenstein 1
  • [bug] Get rid of wmic in obtaining assigned volume letters for VHD. It's not present on Win11

    [bug] Get rid of wmic in obtaining assigned volume letters for VHD. It's not present on Win11

    This piece is to be reworked:

    https://github.com/mgeeky/PackMyPayload/blob/master/lib/packager.py#L455

                out = Packager.shell('wmic LOGICALDISK LIST BRIEF /format:csv')
    

    Leaving as a note to myself.

    bug 
    opened by mgeeky 0
Owner
Mariusz Banach
Offensive Sencha Consultant
Mariusz Banach
Download archived malware from ActiveState's source code mirror

malware-archivist (ma) Tool to aid security researchers in dissecting malware. Often, repository maintainers will remove malicious packages entirely f

ActiveState Software 28 Dec 12, 2022
The Malware Open-source Threat Intelligence Family dataset contains 3,095 disarmed PE malware samples from 454 families

MOTIF Dataset The Malware Open-source Threat Intelligence Family (MOTIF) dataset contains 3,095 disarmed PE malware samples from 454 families, labeled

Booz Allen Hamilton 112 Dec 13, 2022
Active Transport Analytics Model (ATAM) is a new strategic transport modelling and data visualization framework for Active Transport as well as emerging micro-mobility modes

{ATAM} Active Transport Analytics Model Active Transport Analytics Model (“ATAM”) is a new strategic transport modelling and data visualization framew

Peter Stephan 0 Jan 12, 2022
Malware arcane - Scripts and notes on my malware analysis journey

Malware Arcane Repository of notes and scripts I use when doing malware analysis

null 9 Jun 1, 2022
Malware-analysis-writeups - Some of my Malware Analysis writeups

About This repo contains some malware analysis writeups i've created over time m

Itay Migdal 14 Jun 22, 2022
A containerized REST API around OpenAI's CLIP model.

OpenAI's CLIP — REST API This is a container wrapping OpenAI's CLIP model in a RESTful interface. Running the container locally First, build the conta

Santiago Valdarrama 48 Nov 6, 2022
Docker containerized Python Flask API that uses selenium to scrape and interact with websites

Docker containerized Python Flask API that uses selenium to scrape and interact with websites

Christian Gracia 0 Jan 22, 2022
Let's learn how to build, release and operate your containerized applications to Amazon ECS and AWS Fargate using AWS Copilot.

?? Welcome to AWS Copilot Workshop In this workshop, you'll learn how to build, release and operate your containerised applications to Amazon ECS and

Donnie Prakoso 15 Jul 14, 2022
BisQue is a web-based platform designed to provide researchers with organizational and quantitative analysis tools for 5D image data. Users can extend BisQue by implementing containerized ML workflows.

Overview BisQue is a web-based platform specifically designed to provide researchers with organizational and quantitative analysis tools for up to 5D

Vision Research Lab @ UCSB 26 Nov 29, 2022
Run containerized, rootless applications with podman

Why? restrict scope of file system access run any application without root privileges creates usable "Desktop applications" to integrate into your nor

null 119 Dec 27, 2022