Forblaze: Python Mac Steganography Payload Generator

Forblaze – A Python Mac Steganography Payload Generator

Purpose

Forblaze is a project designed to provide steganography capabilities to Mac OS payloads. Using python3, it will build an Obj-C file for you which will be compiled to pull desired encrypted URLs out of the stego file, fetch payloads over https, and execute them directly into memory. It utilizes custom encryption – it is not cryptographically secure, but purely to thwart analysis by AV engines. It is a slight deviation from my previously built custom encryption for Windows, called Rubicon, and is more simple in practice. Forblaze utilizes header and footer bytes to identify where in the stego file your encrypted bytes are, and then decrypts them with a hard-coded key in compile_forblaze.m. This key can be saved and re-used, with the effect that a different URL could be used to fetch a different payload, and the same compiled forblaze should still be able to execute and process it (provided the header and footer bytes aren’t changed, and the new stego file is uploaded to the correct location.)

Opsec Concerns

Honestly, not too many. Mac OS detections are still pretty poor, especially for in-memory activity. However, as a warning, this method (based almost entirely on https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory) will NOT WORK FOR GO COMPILED MACHOS. Every other macho I’ve tested works fine, so if you really want to use Go C2s such as Mythic, I recommend crafting a custom macho which can function similar to osascript, and call a jxa payload in memory directly. As an exercise for the reader, you could also call payload bytes directly vs a URL with some slight modifications to this code.

I would recommend changing this like the number of random bytes generated from the default, and changing the default header and footer bytes that forblaze uses to find the payload in the stego file (as well as the length of those header and footer bytes to perhaps be more inconspicuous).

Detection/Prevention

Steganography is pretty difficult to detect. If you know where the stego file is, you can begin to extract the suspect bytes after the end of the normal file EOF (so after “FFD9” for jpegs for example). These suspect bytes will still include the actual encrypted payload and nonsense random bytes, which would be hard to distinguish from each other unless you possess the header and trailing bytes specified by Forblaze. You could look through these bytes and look for patterns of repeating bytes since this is how the header and footer bytes with forblaze tend to work, but a skilled operator could make that more difficult to find than the default. If a payload is caught you could obviously RE the binary and try to locate the stego file, and then try to use the hard-coded key and headers/footers to reverse the URL being called (or other bytes). But that all assumes you found the binary by some other means.

Install

git clone https://github.com/asaurusrex/Forblaze.git

Use

Disclaimer

DO NOT use this project for purposes other than legitimate red teaming/pentesting jobs, or research. DO NOT use this for illegal activity of any kind, and know that this project is intended for research purposes and to help advance the missions of both red and blue teams.

Copyright (c) 2021, asaurusrex
All rights reserved.

Source: https://github.com/asaurusrex/