T1659: Content Injection
Last updated
Last updated
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.
Adversaries may inject content to victim systems in various ways, including:
From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment)
From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server
Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception
In this example I'll be working with the backdoor-factory Injection Caplet for Bettercap rebuilt in Go the tools looks for specific extensions and file formats to inject shellcode data on compatible binary file formats such as PE, Mach-O, and ELF in the following examples I will use a Linux (ELF) and a Windows (PE) binary that both will be injected with shellcode
First will need to run backdoor-factory and give it the folder where our shellcode is located
Since this folder is empty will need to create the shellcode for the intended OS in this scenario will be building the shellcode for Linux OS 64bit I'll use msfvenom from creating the shellcode
Will take a quick look at the caplet file to see what it's doing, in the first line it's targeting Linux machines, on the second line it is searching for specific User Agents that Linux machines are using when navigating the web and the 3 line it will look for specific containers such as zip, tar, gunzip, etc. It will decompress these files on the file if they are not password protected and then inject the shellcode on the binary ELF or PE.
Make sure you save the payload in the correct folder, as seen previously I saved a 64 bit shellcode in the x64 folder and the caplet is targeting the correct formats now with this I can continue with the instructions by backdoor-factory and execute the caplet
Now since the technique is specific to what it will look for I setup a ELF binary that prints "Hello World" this binary was compressed into a ZIP file and is hosted on a Apache server, I tried using python HTTP but got no success only with dedicated HTTP Servers, now when BETTERCAP detects the specific User-Agent and the extensions to be correct it will grab the file, inject the shellcode and send it back to the user but this time with our shellcode
Now will grab the file
In the screen above we see the intended file has been downloaded the ZIP file and BETTERCAP has successfully identified it and injected the shellcode
Now when the user tries to use this file by extracting and executing, it will work as intended but with our backdoor installed
For windows it requires some small editing on the CAPLET file
As seen previously I've added the target to be window and to expect users agents that hold the string Windows, not 100% reliable as this can be spoofed but will continue for now, I've hosted a PE file on a Apache server again
And I've initiated the attack on another window and notice the new target
I'll proceed in downloading the PE file compressed in a ZIP container
And the attack continues from BETTERCAP
I can confirm this by extracting the contents of the ZIP file and executing seen in the demo below
References:
https://www.symbolcrash.com/tag/binjection/
