How to hide payload behind images

How to hide payload behind images

Some of us are already aware of various techniques that are used to hide various important files or payloads to save them from unauthorized access but sometimes doing all this is not enough. This is mostly because anyone aware of the method that is used to access these files even if hidden can get hold of them quite easily. In this article, we are going to discuss a new method through which these files can be hidden. As we are aware that the complex shell scripts can be quite easily implemented into photo metadata and in the further process they can be used to exploit a MacBook. So, in response to the response to this whole obfuscating nature of the very attack.

Also Read: What is Termux and how do we use it? and  How to Hack Android Phones by Sending a Link

In short, this attack can be quite useful to evade the network firewalls as well as vigilant sysadmins. The scenarios created through this attack is a malicious command which will be embedded directly into the EXIF metadata in form of an image file. The attackers involved here can host the malicious image on public websites. There are many such websites such as Flickr. Now, this data will become quite easy to download and getting access by almost anyone. The stranger in here then will be creating a stager to download the image, extract all the metadata and then try to execute the embedded command in short. Now if you wanted to be a little clearer then kindly do click on the image file even after this it would not be causing the embedded file to be executed.

Also Read: How to Install Anydesk on Ubuntu and How to Recover deleted files from Pen drive

In total that is a whole different kind of macOS something that is not discussed in this article. As in here, we are only discussing the topic of how can someone hide payloads behind an image. So, in response to the attack noticed it is mainly that the command is hidden in the metadata of this image and then used as a payload delivery system. Till now it is a bit clear that the stager and the payload are two different kinds of aspects that are linked to the attacks. On one hand, the stager is mainly designed to download the image and then execute all the embedded payloads while in the case of payload it is nothing but the final bit of code that is here designed so that it can perform on more than one commands. Now the main question is that why we are hiding the payloads behind an image.

Also Read: Top Emulators for PC and Mac and What is Blockchain and How to Use it

Well, let’s try to understand the answer. Here what is the requirement of the stager if the attacker is already in the position to execute the code on the targeted MacBook? In short, the primary thing here is the varying degree of active evasion. Also, if properly noticed stagers is kind of small that is about ~100 characters long which make them quicker to execute with the use of a USB rubber ducky or even by a mouse jack as an example. So, in most of the scenarios hiding a payload behind an image is not required. This can be a highly secure environment where all the possible domains are kind of logged on by the software of the firewall. This may sound a bit beneficial to conceal the actual contents and of course the origin of the payloads.

Now let’s see the steps involved in the hiding process of payloads behind an image:

Before we can move forward, we can have a general comfort with various kind of tools such as curl, system profiler, exiftool, grep as well as bash scripting before we can start.

  1. Firstly, you are required to download the image that can be used in the attack. The stagers would not be used to save the image to the target computer. So, any kind of image can be used as there is nothing specified to be used here.
  2. Now moving further, we need to generate the payload. Here we are going to first learn about the straightforward touch command. So, when the attacker will be trying to execute the payload embedded in the image. Now, this is an empty file on the macOS desktop know as hacked.
  3. Firstly, use the printf command followed by base64 and tr to encode the payload. Base64 in here will be used to encode the string. While the tr command is used for deletion. This is in the form of –d and –l for newline.
  4. Now there is a bit more complex payload that kind of involve the macOS’s system profiler command that can be used to perform an overall situational awareness about the attack as well as about the curl that is used to exfiltrate the output of the command to be on the server of the attacker.
  5. Now in the further step, we need to embed the payload into your image. For this, you will require the exiftool.
  6. After this, you need to upload the image to the website.


I hope the information shared above will be able to help all my readers.      


No comments yet. Why don’t you start the discussion?

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.