PackMyPayload - Emerging Threat of Containerized Malware

Overview

PackMyPayload - Emerging Threat of Containerized Malware

This tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve purpose for a Proof-of-Concept presenting emerging risk of container file formats with embedded malware, as well as helper for professional Red Team Operators to sharpen their Initial Access maneuvers.

Currently Threat Actors are known to smuggle their malware archived in various container file formats, to name a few:

  • 7zip
  • zip
  • ISO
  • IMG

They do that to get their payloads pass file content scanners, but more importantly to avoid having Mark-Of-The-Web flag on their files. There're various motives on why adversaries don't want MOTW on their files: Protected View in Microsoft Office was always among them.

Should they provide container file to their victims, a foundation for disabling VBA macros in Internet-originated Office documents might be bypassed.

Background

On Feb, 7th Microsoft announced default configuration change to block VBA macros originating from Internet. This is an incredible step towards hardening the baseline configuration of User's workstation and the client software installed within. Arguably overdue, yet an important step dramatically affecting in a positive way typical Windows+Office installation setups.

The implemented behavior is explained to work by differentating macro-enabled Office documents based on the MOTW (Mark of the Web) flag. That flag acts as a tainted label available for software clients (browsers, mail clients, file archivers, etc) to mark files originating from untrusted areas like The Internet.

Outflank shed more light on MOTW, back in 2020 by indicating areas where MOTW flag is not uniformly propagated. These areas serve defense gap role and are commonly abused by threat actors since years by now.

Their research disclosed, that some container file formats - namely ISO, VHD/VHDX - do not propagate MOTW taint flag onto inner files upon auto-mount or auto-extraction. Moreover, Windows 8+ is able to open these formats automatically upon double-click, making them notorius infection carriers, possibly devaluing MOTW in its security measure role.

Demo - How Threat Actors Evade MOTW and Smuggle Macros

Lets present how Mark of the Web flag looks like in practice:

1. Download a regular file using your Browser

1.gif

After downloading a file, right click on it and review its properties.

You'll see a message prompting to Unblock the file, because it originates from an untrusted zone.:

motw

That information is stored in NTFS ADS (Alternate Data Stream) named Zone.Identifier which looks as follows:

zone-identifier

The ZoneId=3 plays the role of marking file tainted.

2. Pack that file into ISO

Using PackMyPayload.py emplace the file into an ISO Joliet disk easily with a command:

PS> py PackMyPayload.py 7z2107-x64.exe 7z2107-x64.iso

2.gif

3. Serve the file with Simple HTTP Server, download, open ISO, review MOTW

Having created ISO file, mimic a HTTP server using Python:

PS> py -m http.server 80

and then download the ISO file using your Browser.

3.gif

When you review Properties of that ISO file, you'll see its marked with MOTW flag.

marked

However, the inner 7zip installer EXE file is not MOTW-marked!

not-marked


Rationale

Using the occassion that Industry's eyes are turned on Microsoft's brave decision to block VBA Macros, we, professional Security Researchers taking the utmost consideration on increasing World's technologies resielience against their misuse, want to add following insight into current Threat Actor TTPs:

Threat Actors are well aware of the impact MOTW has on their phishing payloads. They've adapted long time ago and are now smuggling their malicious programs inside of containers. Among the most commonly observed ones we can highlight are ISO, IMG, CAB.

I am now releasing this tool to increase the momentum built on Microsoft's stand and to help intensify discussions on these evasion avenues.

It is advised to contain (and/or block) files having above listed extensions whenever they originate from untrusted zones & wherever applicable:

  • Web Proxies
  • Mail Scanning engines
  • Endpoint protection agents - EDRs, XDRs, AVs
  • File upload forms & functionalities

The tool released will hopefully enable more Red Teams to simulate discussed risks and help them identify detection gaps within their Partners defenses more easily.


Features

This script offers following treats & goodies:

  • Packages input file or directory into output container
  • Can backdoor existing containers or create new ones.
  • Provides password encryption for supported formats

Formats supported:

Format Strips MOTW? Off the shelf Windows support? Elevation required? Remarks
Zip No Yes No
7zip Partially No No MOTW stripped only on manual files extraction
ISO Yes Yes No
IMG Yes Yes No
PDF ? Yes No Depends on Javascript support in PDF reader
CAB No Yes No Requires few additional clicks on victim-side
VHD Yes Yes Yes This script currently can't make directories
VHDX Yes Yes Yes This script currently can't make directories

Installation

  • Clone this repository
  • Install requirements:
cmd> pip3 install -r requirements.txt

Sample use

  1. Pack a directory with files into ISO:
PS> py PackMyPayload.py C:\my\dir malicious.iso -v

+      o     +              o   +      o     +              o
    +             o     +           +             o     +         +
    o  +           +        +           o  +           +          o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
   :: PACK MY PAYLOAD (1.0.0)       -_-_-_-_-_-_-|   /\_/\
   for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
+      o         o   +       o       +      o         o   +       o
+      o            +      o    ~   Mariusz Banach / mgeeky    o
o      ~     +           ~          
   
    
    o           +                         o           +           +

[.] Packaging input file to output .iso (iso)...
Burning files onto ISO:
    Adding file: //malicious.lnk
    Adding file: //malicious.docm
[INFO] [+] File packaged into ISO.
[INFO] Successfully packed input file.

[+] Generated file written to (size: 69632): malicious.iso

   
  1. To pack files into VHD/VHDX one must run this script on Windows from an elevated user context (e.g. Local Administrator). This is due to DISKPART requiring Admin access to physical devices objects/namespace. Best experience one gets by running the script on Windows Terminal (wt) or ConEmu as they support ANSI colors. Otherwise, should an output look bad, disable those colors with -N flag:
PS> py PackMyPayload.py .\evil.lnk .\evil.vhd -v -N

+      o     +              o   +      o     +              o
    +             o     +           +             o     +         +
    o  +           +        +           o  +           +          o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
   :: PACK MY PAYLOAD (1.0.0)       -_-_-_-_-_-_-|   /\_/\
   for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
+      o         o   +       o       +      o         o   +       o
+      o            +      o    ~   Mariusz Banach / mgeeky    o
o      ~     +           ~          
   
    
    o           +                         o           +           +

[.] Packaging input file to output .vhd (vhd)...
[INFO] Drive letters currently occupied:
    X
    C
    Z
    D
[INFO] Will create VHD of size:    1024MB (Dynamic)
[INFO] Will assign VHD letter :    V:
[INFO] Will format VHD with   :    FAT32
[INFO] Creating VHD file...
[+] Created & mounted VHD file on V:\
[.] Packing files into created VHD...
[INFO] Packaged file:
[INFO]     evil.lnk => V:\
[.] Detaching VHD file...
[+] Detached VHD file from V:\
[INFO] [+] File packaged into VHD.
[INFO] Successfully packed input file.

[+] Generated file written to (size: 6311936): evil.vhd

   

Full usage

+      o     +              o   +      o     +              o
    +             o     +           +             o     +         +
    o  +           +        +           o  +           +          o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
   :: PACK MY PAYLOAD (1.0.0)       -_-_-_-_-_-_-|   /\_/\
   for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
+      o         o   +       o       +      o         o   +       o
+      o            +      o    ~   Mariusz Banach / mgeeky    o
o      ~     +           ~          
   
    
    o           +                         o           +           +

Usage: ./package.py [options] 
     
     
      

options:
  -h, --help            show this help message and exit

Required arguments:
  infile                Input file/directory to be packaged into output archive/container
  outfile               Output file with extension pointing at output format

Options:
  -v, --verbose         Verbose mode.
  -d, --debug           Debug mode.
  -N, --nocolor         Dont use colors in text output.
  -i BACKDOOR, --backdoor BACKDOOR
                        Instead of generating blank new output container/archive, will backdoor existing input one.
  -n NAME, --filename NAME
                        Package input file into archive/container under this filename (may contain relative path).
  -p PASSWORD, --password PASSWORD
                        If output archive/container format supports password protection, use this password to protect output file.
  --out-format {zip,7z,iso,img,cab,pdf,vhd,vhdx}
                        Explicitely define output format disregarding output file's extension. Can be one of following: zip, 7z, iso, img, cab, pdf, vhd,
                        vhdx

VHD specific options:
  --vhd-size SIZE       VHD dynamic size in MB. Default: 1024
  --vhd-letter LETTER   Drive letter where to mount VHD drive. Default: will pick unused one at random.
  --vhd-filesystem FS   Filesystem to be used while formatting VHD. Default: FAT32. Supported: fat, fat32, ntfs

=====================================================

Supported container/archive formats:

        - zip
        - 7z
        - iso
        - img
        - cab
        - pdf
        - vhd
        - vhdx

=====================================================

     
    
   

Known Issues

  • Can't create directories while copying files onto VHD/VHDX mounted volumes.

TODO

  • Add support for MSI files

  • Consider adding support to other egzotic archive formats (not really coping with MOTW or supported off the shelve by Windows):

    • tar
    • cpio
    • pax
    • xar
    • ar
    • mtree
    • shar
    • tar
    • cpgz
    • uu
    • lha
  • WinZip Pro also supports extraction of following formats - maybe worth adding them too:

    • B64, BHX, BZ, BZ2, GZ, HQX, LHA, LZH, MIM, TAZ, TBZ,
    • TBZ2, TGZ, TXZ, TZ, UU, UUE, VMDK, XXE, XZ, Z, ZIPX,

Trivia

I kindly ask you to read following line out loud and as fast as you can in front of a mirror:

py Pack My Payload dot py

Some say the spell summons ancient DAEMON and Sheeps ( ͡~ ͜ʖ ͡°)


Show Support

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪


Mariusz Banach / mgeeky, (@mariuszbit)

   

   
Owner
Mariusz Banach
Offensive Sencha Consultant
Mariusz Banach
A MassDM selfbot which is working in 2021

mass-dm-discord - Little preview of the Logger and the Spammer Features Logging User IDS Sending DMs to the logged IDs Blacklist IDs (add the ID of th

karma.meme 88 Dec 26, 2022
Portal Backend for Yuta management

Portal Backend for Yuta management Prerequisites Python 3.10 or above. pip, pdm installed. Quickstart Install the required packages: pdm install Runn

Loc Mai 1 Dec 20, 2021
🕵️‍♂️ Investigate Google Accounts with emails.

Description GHunt is an OSINT tool to extract information from any Google Account using an email. It can currently extract: Owner's name Last time the

mxrch 13.1k Jan 01, 2023
Shedding a new skin on Dis-Snek's commands.

Molter - WIP Shedding a new skin on Dis-Snek's commands. Currently, its goals are to make message commands more similar to discord.py's message comman

Astrea 7 May 01, 2022
this synchronizes my appearances with my calendar

Josh's Schedule Synchronizer Here's the "problem:" I use a spreadsheet to maintain all my public appearances. I check the spreadsheet as often as poss

Josh Long 2 Oct 18, 2021
A link shortner telegram bot version 2 with advanced features

URL-Shortner-Bot-V2 A link shortner telegram bot version 2 with advanced features Made with Python3 (C) @FayasNoushad Copyright permission under MIT L

Fayas Noushad 18 Dec 29, 2022
This is a Innexia Group Manager Bot with many features

⚡ Innexia ⚡ A Powerful, Smart And Simple Group Manager ... Written with AioGram , Pyrogram and Telethon... Available on Telegram as @Innexia ❤️ Suppor

TeamDeeCode 84 Jun 04, 2022
Archive tweets and make them searchable

Tweeter Archive and search your tweets and liked tweets using AWS Lambda, DynamoDB and Elasticsearch. Note: this project is primarily being used a tes

Kamil Sindi 8 Nov 18, 2022
A Simple Voice Music Player

📀 𝐕𝐂𝐔𝐬𝐞𝐫𝐁𝐨𝐭 √𝙏𝙚𝙖𝙢✘𝙊𝙘𝙩𝙖𝙫𝙚 NOTE JUST AN ENGLISH VERSION OF OUR PRIVATE SOURCE WAIT FOR LATEST UPDATES JOIN @𝐒𝐔𝐏𝐏𝐎𝐑𝐓 JOIN @𝐂?

TeamOctave 8 May 08, 2022
A FORKED AND Modded version of TL:GD for 🅱️3R0K🧲support

for support join here working example group Leech Here For Any Issues/Imrovements or Discussions go here or here Please Leave A star And Fork this Rep

XcodersHub 165 Mar 12, 2022
Buy early bsc gems with custom gas fee, slippage, amount. Auto approve token after buy

Buy early bsc gems with custom gas fee, slippage, amount. Auto approve token after buy. Sell buyed token with custom gas fee, slippage, amount. And more.

Jesus Crypto 206 May 01, 2022
THE BEST INSTAGRAM AUTO LIKER GET MORE FOLLOWERS WITH THIS AUTOMATION

Hi 👋 , I'm Anandhu Ashok Developer making awesome things for awesome people 🚀 Connect with me: THE BEST INSTAGRAM AUTO LIKER GET MORE FOLLOWERS WITH

Anandhu Ashok 3 Jul 26, 2022
Simple Telegram AI Chat bot made using OpenAI and Luna API

Yui Yui, is a simple telegram chat bot made using OpenAI and Luna Chat bot Deployment 👀 Deploying is easy 🤫 ! You can deploy this bot in Heroku or i

I'm Not A Bot #Left_TG 21 Dec 29, 2022
Check your bot status automatically using userbot, simply and easy

Status Checker Userbot check your bot status automatically using userbot, simply and easy. Mandatory Vars API_ID : Telegram API_ID, get it from my.tel

ALBY 6 Feb 20, 2022
Sadew Jayasekara 23 Oct 21, 2022
A Python Library to Make Quote Images

Quote2Image A Python Library to Make Quote Images How To Use? Download The Latest Package From Releases Extract The Zip File And Place Every File In I

Secrets 28 Dec 30, 2022
This is a tutorial on how to make a Discord Bot using the discord.py library

HowToMakeADiscordBot This Github repository is here to help you code a Discord Bot using the discord.py library! 1 - Setup: Download the code inside t

Baz 1 Oct 31, 2021
Create custom Vanity URLs for Discord without 30 boosts

CustomVanity - Made by udp#6666 aka Apolo - OpenSource Custom Discord Vanity Creator How To Use Open CustomVanity.py Write your server invite code Wri

apolo 17 Aug 23, 2022
A simple telegram bot to save restricted content with custom thumbmail support by Mahesh Chauhan

Save Restricted Content Bot A simple telegram bot to save restricted content with custom thumbmail support by Mahesh Chauhan. Variables API_ID API_HAS

Mahesh Chauhan 532 Jan 02, 2023
A small Python app to create Notion pages from Jira issues

Jira to Notion This little program will capture a Jira issue and create a corresponding Notion subpage. Mac users can fetch the current issue from the

Dr. Kerem Koseoglu 12 Oct 27, 2022