PackMyPayload: packages payloads into output containers

PackMyPayload – Emerging Threat of Containerized Malware

This tool takes a file or directory on input and embeds them into an output file acting as an archive/container. It can serve a purpose for a Proof-of-Concept presenting an emerging risk of container file formats with embedded malware, as well as a helper for professional Red Team Operators to sharpen their Initial Access maneuvers.

Currently, Threat Actors are known to smuggle their malware archived in various container file formats, to name a few:

• 7zip
• zip
• ISO
• IMG

They do that to get their payloads pass file content scanners, but more importantly to avoid having the Mark-Of-The-Web flag on their files. There’re various motives on why adversaries don’t want MOTW on their files: Protected View in Microsoft Office was always among them.

Should they provide container files to their victims, a foundation for disabling VBA macros in Internet-originated Office documents might be bypassed?

Background

In Feb, 7th Microsoft announced a default configuration change to block VBA macros originating from the Internet. This is an incredible step towards hardening the baseline configuration of the User’s workstation and the client software installed within. Arguably overdue, yet an important step dramatically affecting in a positive way typical Windows+Office installation setups.

The implemented behavior is explained to work by differentiating macro-enabled Office documents based on the MOTW (Mark of the Web) flag. That flag acts as a tainted label available for software clients (browsers, mail clients, file archivers, etc) to mark files originating from untrusted areas like The Internet.

Outflank shed more light on MOTW, back in 2020 by indicating areas where the MOTW flag is not uniformly propagated. These areas serve the defense gap role and are commonly abused by threat actors for years now.

Their research disclosed, that some container file formats – namely ISO, VHD/VHDX – do not propagate MOTW taint flag onto inner files upon auto-mount or auto-extraction. Moreover, Windows 8+ is able to open these formats automatically upon double-click, making them notorious infection carriers, possibly devaluing MOTW in its security measure role.

Rationale

Using the occassion that Industry’s eyes are turned on Microsoft’s brave decision to block VBA Macros, we, professional Security Researchers taking the utmost consideration on increasing World’s technologies resielience against their misuse, want to add following insight into current Threat Actor TTPs:

Threat Actors are well aware of the impact MOTW has on their phishing payloads. They’ve adapted long time ago and are now smuggling their malicious programs inside of containers. Among the most commonly observed ones we can highlight are ISO, IMG, CAB.

I am now releasing this tool to increase the momentum built on Microsoft’s stand and to help intensify discussions on these evasion avenues.

It is advised to contain (and/or block) files having above listed extensions whenever they originate from untrusted zones & wherever applicable:

• Web Proxies
• Mail Scanning engines
• Endpoint protection agents – EDRs, XDRs, AVs
• File upload forms & functionalities

The tool released will hopefully enable more Red Teams to simulate discussed risks and help them identify detection gaps within their Partners defenses more easily.

Features

This script offers the following treats & goodies:

• Packages input file or directory into an output container
• Can backdoor existing containers or create new ones.
• Provides password encryption for supported formats

Formats supported:

Install & Use