Obfuscating Infiltration and Exfiltration with Code Cave Artifacts

Jun 19, 2023

Obfuscation is often easy to recognize when it is being used; but not so easy when it pretends to be part of a binary's embedded data and used to communicate secrets back and forth.

Introduction

This article covers a handful of fun ways to play with executable binary files instead of just running them like everyone else. We will cover binary files using C, and tools using Python3, which automates our workflow and processes with shell scripts, and running this in a Linux environment, using Linux tooling.

We'll be playing with obfuscating data and injecting them in a somewhat stealth fashion into the binaries so that it remains in the binary, where most things won't care what it is because it isn't being called directly. As a result, we do not have to route to test this data in a sandbox; and since the data is obfuscated or even encrypted with strong crypto, it won't appear obvious that something is hiding there.

This is useful when data moves from one area to another, which needs to be monitored to determine what type of data, or data content passed between entities.

Blue teams might become aware of this, and therefore not just whitelist the activity as we have seen many teams do; mostly because of alert fatigue.

Let's begin our journey in hiding in plain sight.

What you will learn:

To hide and manipulate data in a binary file for various purposes such as infiltration and exfiltration.

What....

Subscribe
Notify of
guest

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023