C2 With Python, Powershell, and Favicons

As I was leisurely browsing the web recently, I saw the icon for a website pop up on one of my tabs and an idea popped into my head — the favicon is such a common thing to see in packet captures and the like that it would surely be overlooked as a potential vector for c2 of malware. There may be people doing this already, I’m not saying it’s a completely groundbreaking idea, but merely another tool to stick in the toolbox as I am always trying to adapt and find new ways of doing things. Python makes this task very trivial too, so I decided to whip up some code to see how well it would work out.

Having spent time during CTFs utilizing the Python Image Library to create / read images I knew the creation of the PNG file would be the easy part. A simple implementation could be the following:

All this does is take a file you specify, returns the ASCII value of each character within, and shoves each three byte group into a single pixel (R,G,B). As we are creating an icon of size 32×32, and each pixel can hold three bytes, our total possible input size will be 3072 bytes. (32x32x3) Everything is pretty straight forward — you could make a more complicated implementation, this is just to get the idea across.

This is an example (zoomed in) of what your favicon will look like after you create it.

Blown Up Favicon

The best thing about the file created is that it is a legitimate PNG file, which encodes/compresses the data so if someone is sniffing the wire looking for base64 encoded data, or plaintext data passing across the wire, all they will see is a valid PNG file with all of it’s requisite headers and valid data.

As for the cradle to download / convert the file into a command to be executed, powershell is the perfect option to implement this as it can access all of the .NET libraries (including the System.Drawing.Image Class!), and of course it is available on the majority of Windows machines these days. The code I created is as follows:

There are probably more elegant solutions — I’m not the best with powershell, but this gets the job done. Any code it pulls out of the favicon is sent to the Invoke-Expression commandlet for execution. My git repo is here if you’d like to pull it down.

This would create a png which would run Matt Graeber’s Invoke-Shellcode and give a listener a reverse https shell. Of course this means you’d need code execution in the first place, possibly by sending a phishing email with a Malicious Office Document, creating persistence in a way similar to Power Worm.

Either way, all you’d need to do with the above powershell script to interpret the png, is the following:

And….

Success!

Success!

Leave a Reply

Your email address will not be published. Required fields are marked *