dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,859
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,545
- Points
- 1,813
- Credits
- 55,080
7 Years of Service
56%
A PoC that packages payloads into output containersb to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX
PackMyPayload - Emerging Threat of Containerized Malware
This tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve purpose for a Proof-of-Concept presenting emerging risk of container file formats with embedded malware, as well as helper for professional Red Team Operators to sharpen their Initial Access maneuvers.
Currently Threat Actors are smuggling their malicious payloads archived in various container file formats, such as:
7zip
zip
ISO
IMG
CAB
They do that to get their payloads passed file content scanners, but more importantly to avoid having Mark-Of-The-Web flag on their files.
Should they provide container file to their victims, a foundation for disabling VBA macros in Internet-originated Office documents might be bypassed.
PackMyPayload - Emerging Threat of Containerized Malware
This tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve purpose for a Proof-of-Concept presenting emerging risk of container file formats with embedded malware, as well as helper for professional Red Team Operators to sharpen their Initial Access maneuvers.
Currently Threat Actors are smuggling their malicious payloads archived in various container file formats, such as:
7zip
zip
ISO
IMG
CAB
They do that to get their payloads passed file content scanners, but more importantly to avoid having Mark-Of-The-Web flag on their files.
Should they provide container file to their victims, a foundation for disabling VBA macros in Internet-originated Office documents might be bypassed.
Code:
PS> py PackMyPayload.py C:\my\dir malicious.iso -v
+ o + o + o + o
+ o + + o + +
o + + + o + + o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------, o
:: PACK MY PAYLOAD (1.0.0) -_-_-_-_-_-_-| /\_/\
for all your container cravings -_-_-_-_-_-~|__( ^ .^) + +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-'' ''
+ o o + o + o o + o
+ o + o ~ Mariusz Banach / mgeeky o
o ~ + ~ <mb [at] binary-offensive.com>
o + o + +
[.] Packaging input file to output .iso (iso)...
Burning files onto ISO:
Adding file: //malicious.lnk
Adding file: //malicious.docm
[INFO] [+] File packaged into ISO.
[INFO] Successfully packed input file.
[+] Generated file written to (size: 69632): malicious.iso