LetsDefend — ImageStegano Challenge Walkthrough
Investigating steganography using ExifTool and psimage_decoder.py
Introduction:
Welcome to my weekly walkthrough! Have you ever wondered about how malware can be hidden in an image? Well we’re about to explore the world of steganography by tackling the ImageStegano challenge on LetsDefend!
This is a challenge requiring us defenders to investigate an image file and determine if it contains malicious code hidden by using steganography.
Now what is steganography anyway? According to the SANS Internet Storm Center’s Infosec Glossary, steganography is the:
Methods of hiding the existence of a message or other data. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. An example of a steganographic method is “invisible” ink.
So, whether you’re here to learn more about steganography, explore some new tools, or are just looking for a reference walkthrough for the LetsDefend ImageStegano Challenge, you’ve stumbled on the right spot. I encourage you to follow along during your own investigation and use this post as a reference if you get stuck.
Thanks for reading along, let’s have some fun!
Challenge Link: https://app.letsdefend.io/challenge/imagestegano
Challenge Scenario:
We are certain that there is something malicious in this image, but we do not know what it is. So we need you to investigate it and see if you can find any evidence.
Questions 1 & 2:
Who is the “Device Manufacturer” according to the metadata?
What is the CMM Type?
Let’s start off the investigation by connecting to the virtual machine environment hosted on LetsDefend, navigate to the ChallengeFile folder on the Desktop, and extracting the challenge file from the archive.
Inside, we find a seemingly innocuous .png file, but do you notice something strange? The file size is nearly 65MB in size! This is definitely suspicious and requires some further investigation.
Question 1 and 2 are asking about the image metadata, which is data about the image, and not the image itself like color profiles and the capturing device details. To analyze this file’s metadata, we will want to utilize something like ExifTool.
According to the project’s website, ExifTool is a:
platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, Lyrics3, as well as the maker notes of many digital cameras by Canon, Casio, DJI, FLIR, FujiFilm, GE, GoPro, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Motorola, Nikon, Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony.
In other words, this tool is used to extract metadata from an image file for us to analyze!
Let’s take a closer look at our analysis environment. Unfortunately, our Windows environment does not have this tool installed for us to use. ExifTool is typically installed within Linux distros, however.
Maybe you noticed the orange Ubuntu Linux icon on the taskbar? This means that the analysis VM has Ubuntu installed for use with the Windows Subsystem for Linux (WSL) which allows us to use Linux tools in Windows — very cool!
So, we have a couple of options to access ExifTool to analyze the image’s metadata:
- ) Load into Ubuntu and operate the CLI directly:
2.) Or we can simply use the wsl command in PowerShell to access the Ubuntu tool within the PowerShell console directly! This will be the option we’ll use for this walkthrough.
We’ll navigate to the directory containing the suspicious .png file, and use the basic syntax to get an overview of the metadata contained within the image:
wsl exiftool Sd6wF1A1v.png
Now that we have used ExifTool to view the metadata we can find the information needed to answer Questions 1 & 2.
Question 3: What is the tool that created the payload inside the image?
This question will require some research since we don’t have any specific way of determining what application created this image from the metadata.
Why don’t we look at the question hint as a jumping-off point:
Okay, let’s do some research and head over to Google. We’ll search something basic like “image steganography powershell.”
The first result seems very promising. If we click the link we are taken to the GitHub project page for Invoke-PSImage.
According to the project’s README, this tool is used for the following purpose:
Invoke-PSImage takes a PowerShell script and encodes the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web.
Based on the number of stars, this project seems well-known, and it creates a payload within a .png image. Let’s submit the answer and see if our research is correct:
Question 4: After decoding the payload, can you find out the function’s name?
Now that we know what tool created the suspicious image, we’ll now need to locate a method to analyze the actual payload hidden within the image.
Since we know the tool which created the malicious image, let’s do some more Google searching to see if there is a tool available to reveal the code.
We’ll stumble across the article below by Mert Sarica at Hack 4 Career.
After reading the article, we discover that this researcher has created a tool, psimage_decoder.py, which:
Reveals Powershell code hidden in image files using Invoke-PSImage
This sounds promising and is exactly what we’re trying to accomplish! Why don’t we test out this tool and see how it works? We’ll follow the link in the article and check out the Python code over on GitHub.
Without internet connectivity, we have limited options to download the tool into the virtual analysis environment so we’ll just copy the raw file contents into the copy/paste box of the virtual machine’s remote options.
Then, we’ll paste the code into the installed Notepad ++ and save it as a Python file called psimage_decoder.py (or whatever name you’d like).
Finally, let’s run the Python script using the provided syntax to point to the malicious .png file…
Yikes! That was a lot of output to the console, let’s redirect this to a txt file instead so that we can more easily analyze the results.
python .\psimage_decoder.py <Path to file> > <output file name>.txtOnce we open the results file, we will see a function at the very top — Invoke-Mimikatz. If you aren’t familiar with Mimikatz, here is a summary of this software from MITRE ATT&CK:
Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
Yikes! That wouldn’t be a good thing for the victim to launch. Now that we’ve discovered evidence of Mimikatz embedded in the .png file using psimage_decoder.py, I think we can confidently call this file malicious. Let’s continue with the investigation.
Question 5: There are two hidden executables in the decoded payload. What is the sha256 hash of the 32-bit version of the executable?
To answer the last question, let’s continue scrolling through the output of the decoded payload. Toward the bottom of the output, we’ll stumble upon this line with a block of code:
We’ve found of the two hidden executables! This is the 64-bit version, let’s keep scrolling until we find the Win32 version:
There we go! Now that we have located the second executable, notice the SHA256 hash and the convenient link to VirusTotal?
While we already have the file hash we are looking for, let’s take a quick look at the VirusTotal report. If we needed to do some additional research on this binary, this would be a solid method to pivot and gather some additional intelligence and confirm our findings — in this case, we can confirm that the file is indeed malicious.
Let’s submit the answer and wrap up this investigation!
Conclusion:
Whew! Excellent job with the investigation! We made it through the ImageStegano Challenge and successfully revealed Mimikatz hiding within the .png image file! Now that we know what the malicious file is, let’s wrap this up.
Thank you to LetsDefend for providing another fun challenge and the opportunity to learn about steganography. This challenge was really interesting to me, and the lab was valuable to better understand how threat actors are always evolving their tactics and techniques. It was cool to see a practical example of malware embedded in an otherwise innocuous looking file. Having the hands-on practice with these concepts and some of the tools we used like psimage_decoder.py will be excellent additions to the toolkit!
Thank you so much for reading along, too! I hope that you had as much fun as I did and learned something new, too. Until next week — stay curious!
Tools & References:
InfoSec Glossary — SANS Internet Storm Center: https://isc.sans.edu/tools/glossary/
Exiftool: https://exiftool.org/
Microsoft Docs WSL: https://learn.microsoft.com/en-us/windows/wsl/about
Invoke-PSImage (GitHub): https://github.com/peewpw/Invoke-PSImage
psimage_decoder.py (GitHub): https://github.com/mertsarica/hack4career/blob/master/codes/psimage_decoder.py
Malicious Image Research: https://www.mertsarica.com/malicious-image/
MITRE ATT&CK Mimikatz: https://attack.mitre.org/software/S0002/
