To show how ODIX CDR can protect against malicious code hidden in a seemingly-innocuous file, we ran a test on an executable script planted inside an innocent image via the recently-released Invoke-PSImage. For the uninitiated, Invoke-PSImage is a utility that takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. Then, it generates a one-liner for executing either from a file or from the web.
Please note: The tool itself was already flagged by VirusTotal, but the payloads constructed by it have not.
Building the Payload
For this experiment, we first took a random 1920×1200 image:
We created a basic TCP shell script, Invoke-PowrShellTcpOneLine.ps1, which was configured to connect to a listening Kali machine on port 4444. Then, we used Invoke-PSImage to embed the shell script in the image.
The Invoke-PSImage script received as input:
- Script – the script to embed
- Image – the image file the script will be embedded into
- Output – path to the combined output file
- Web (optional) – can be used to generate a one-liner which extracts the script from a URL and not a local file
The CLI output (below, starting with sal…) is the one-liner which extracts and executes the script from the output image file.
Then we saved the output in another file, run_demo.ps1. We ended up with
two files: the armed image and the script to execute it.
After opening a listener on the “attacker machine”, we executed the run_demo.ps1 script, which extracted the shell script from the image and executed it. The result was an open shell to the attacker machine, which allowed command execution – a clear and present danger to both the local host machine and the network as a whole.
How ODIX CDR Neutralized the Threat
ODIX CDR solution was created to overcome this exact type of challenge. Traditional detection solutions require prior knowledge of what to look for, whereas CDR technology disrupts unknown threats – in this case rendering the embedded script unusable.
For example, if we try to run the script again but with an image that passed through ODIX CDR processing, the script fails to extract the hidden message, having been scrambled by the CDR engine.
This is an excellent example of how CDR solutions from ODI sanitize incoming files from all malware vectors, eliminating threats before they reach the network.
Are you interested in testing our CDR technology with your own files?