One Part Steganography, Four Redirectors, and a Splash of C2!

Curtis Brazzell
9 min readSep 20, 2020

Intro

What do you get when you combine Google Images, QR Codes, and Remote Command Execution? This silly project of mine I’d like to share with you all, of course! Building off of my security research from my last couple of blogs, I decided to use my research using dynamic web content to proxy traffic over third party image providers, and try to find a valid bi-directional method for sending data between a NAT’d client and a public server. Alternatively put, I wanted to see if I could build my own crude Command and Control (C2) framework from scratch which proxies traffic through third party image servers (Google, Imgur, Imgflip, etc) all via only encrypted GET requests in order to fool Blue Teams while doing convert Red Team operations. There are a million flavors of C2 frameworks these days so my objective here wasn’t to reinvent the wheel but to prove the channel technique is useful and unique. I did some preliminary Google searches and didn’t see anything being done like this before so, let’s get to work!

In my last blog I found how to get data out via a similar method, but I didn’t really have a plan for getting data back. The technique I highlighted would be more useful for proxying credentials and data exfil since it was one direction. Steganography came to mind since I was using an image proxy, but metadata with Exif techniques are limited. It hit me later that a QR code is an image that holds up to 4,296 alphanumeric characters. iQR can improve upon that and even support a staggering 40,637! No need to scan these in manually with a mobile device since I can write code to process the C2 server’s commands into a QR code which can be read by the agent (client) and processed. I also had a plan which I’ll detail below to change the content being presented in the event a SOC analyst decided to make the same web requests themselves.

I think Redirector techniques are awesome because you don’t have to burn your domains and IP addresses that host your C2. It also has the added benefit of working like an encrypted proxy so watching eyes and network monitoring tools are less likely to notice anomalies. My project has the added benefit of being part of a regular network flow because, everyone requests images from places like Google and Imgflip, right?! How else would you pass the time if not by checking the latest memes in your #random Slack channel? Yeah, me neither..

--

--

Curtis Brazzell

Passionate geek for Information/Cyber Security! I’m always learning and am happy to contribute anything I can share with the community. Follow me @ Twitter!