CDR vs. steganography created with Invoke-PSImage
By: ODI research team
Security professionals agree that any files – especially those from external sources – can be infected with malicious code. That’s why Content Disarm and Reconstruction (CDR) technology, using various approaches, has become a crucial part of the cyber defense toolbox. Where a sophisticated detection engine may fail, a simple well-defined user policy or malicious content removed just in time can literally save the day.
To show how ODIX CDR can protect against malicious code hidden in a seemingly-innocuous file, we ran a test on an executable script planted inside an innocent image via the recently-released Invoke-PSImage. For the uninitiated, Invoke-PSImage is a utility that takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. Then, it generates a one-liner for executing either from a file or from the web.
Please note: The tool itself was already flagged by VirusTotal, but the payloads constructed by it have not.
Building the Payload
For this experiment, we first took a random 1920×1200 image:
We created a basic TCP shell script, Invoke-PowrShellTcpOneLine.ps1, which was configured to connect to a listening Kali machine on port 4444. Then, we used Invoke-PSImage to embed the shell script in the image.
The Invoke-PSImage script received as input:
- Script – the script to embed
- Image – the image file the script will be embedded into
- Output – path to the combined output file
- Web (optional) – can be used to generate a one-liner which extracts the script from a URL and not a local file
The CLI output (below, starting with sal…) is the one-liner which extracts and executes the script from the output image file.
Then we saved the output in another file, run_demo.ps1. We ended up with
two files: the armed image and the script to execute it.
After opening a listener on the “attacker machine”, we executed the run_demo.ps1 script, which extracted the shell script from the image and executed it. The result was an open shell to the attacker machine, which allowed command execution – a clear and present danger to both the local host machine and the network as a whole.
How ODIX CDR Neutralized the Threat
ODIX CDR solution was created to overcome this exact type of challenge. Traditional detection solutions require prior knowledge of what to look for, whereas CDR technology disrupts unknown threats – in this case rendering the embedded script unusable.
For example, if we try to run the script again but with an image that passed through ODIX CDR processing, the script fails to extract the hidden message, having been scrambled by the CDR engine.
This is an excellent example of how CDR solutions from ODI sanitize incoming files from all malware vectors, eliminating threats before they reach the network.
Are you interested in testing our CDR technology with your own files?