Cloakify – Data Exfiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Evade AV Detection
Joe Gervais (TryCatchHCF)
DLP systems, MLS devices, and SecOps analysts know what data to look for:
So transform that data into something they’re not looking for:
Python scripts to cloak / uncloak any file type using list-based ciphers (text-based steganography). Allows you to transfer data across a secure network’s perimeter without triggering alerts, defeating data whitelisting controls, and derailing analyst’s review via social engineering attacks against their workflows. As a bonus, cloaked files defeat signature-based malware detection tools.
Cloakify first Base64-encodes the payload, then applies a cipher to generate a list of strings that encodes the Base64 payload. Once exfiltrated, use Decloakify with the same cipher to decode the payload.
Not a secure encryption scheme (vulnerable to frequency analysis attacks, use ‘noiseTools’ scripts to add entropy). Encrypt data separately prior to processing to keep secure (if needed).
Very small, simple, clean, portable – written in Python. Can quickly type into a target’s local shell session if needed.
Use py2exe if Windows target lacks Python. ( http://www.py2exe.org/ )
Prepackaged ciphers include lists of:
Desserts in English, Arabic, Thai, Russian, Hindi, Chinese, Persian, and Muppet (Swedish Chef)
IPv4 Addresses of Popular Websites
GeoCoords World Capitals (Lat/Lon)
MD5 Password Hashes
World Cup Teams
Amphibians (scientific names)
GeoCaching Coordinates (w/ Site Names)
Star Trek characters
evadeAV (smallest cipher space – x3 payload size – purely to evade AV detection)
Prepackaged scripts for adding noise / entropy to your cloaked payloads:
prependID.py: Adds a randomized ID tag to front of each line
prependLatLonCoords.py: Adds randomized LatLong coordinates to front of each line
prependTimestamps.py: Adds timestamps (log file style) to front of each line
See script comments for details on how to tailor the output for your own needs
To create your own cipher
Generate a list of at least 66 unique words / phrases / symbols (Unicode accepted)
Randomize the list order
Remove all duplicate entries and all blank lines
Pass the new file as the cipher argument to cloakify / decloakify
Add noise to degrade frequency analysis attacks against your cloaked payloads. Here we use the ‘pokemonGo’ cipher, then use the ‘prependLatLonCoords.py’ script to generate random geocoords in a 10×10 mile grid. (Strip noise from file before decloaking.)
Sample Cipher Gallery