Creating Fully Undetectable JavaScript Payloads to Evade Next-Generation Firewalls

Ethical Notice
 道德通知
This information is provided exclusively for the purposes of legitimate penetration testing, education, and further security research. The only way to improve security is by testing it. It’s only once we acknowledge a problem (e.g. in a security solution) that we can take steps towards fixing it. Being aware of a potential false sense of security is equally important.
此信息仅用于合法的渗透测试、教育和进一步的安全研究。提高安全性的唯一方法是对其进行测试。只有当我们承认问题（例如在安全解决方案中）时，我们才能采取措施修复它。意识到潜在的虚假安全感同样重要。

In today’s short blog post, we will be covering how to make any JavaScript payload fully undetectable!
在今天的简短博客文章中，我们将介绍如何使任何 JavaScript 有效负载完全无法检测到！

This simple technique works great, even a little too well, for evading detection of any offensive security tool that outputs JavaScript.
这种简单的技术在逃避任何输出JavaScript的攻击性安全工具的检测方面效果很好，甚至有点太好了。

Perfect use case: HTML Smuggling
完美用例：HTML 走私 ?

File introspection with the goal of blocking/detecting EXEs, scripts, and other downloads is a common feature of next-generation firewalls (NGFW) prevalently deployed by enterprises. To get around this security measure, attackers commonly deploy a technique known as HTML smuggling. It works by hiding a malicious file in JavaScript which is downloaded by the target and then decoded into the final payload. As usual, the target will simply see a file is being downloaded and will be none the wiser to the sneaky way in which we delivered it!
以阻止/检测 EXE、脚本和其他下载为目标的文件侦测是企业普遍部署的下一代防火墙 （NGFW） 的常见功能。为了绕过这种安全措施，攻击者通常会部署一种称为HTML走私的技术。它的工作原理是隐藏JavaScript中的恶意文件，该文件由目标下载，然后解码为最终有效负载。像往常一样，目标只会看到正在下载的文件，并且对我们交付它的偷偷摸摸的方式不会更明智！

Image courtesy Microsoft Threat Intelligence.
图片由威胁情报Microsoft提供。

Email attachments from sources external to an organization are often stripped. Hence why a website, with a link in the email, is usually used to deliver a payload in the first place. Most large email providers like Gmail or Outlook also always strip attachments with troubling extensions.
来自组织外部源的电子邮件附件通常会被剥离。因此，为什么电子邮件中带有链接的网站通常首先用于提供有效载荷。大多数大型电子邮件提供商（如Gmail或Outlook）也总是删除带有令人不安的扩展名的附件。

Naturally, defenders created signatures for these HTML smuggling JavaScript tools so they could be detected over the network (as opposed to the final payloads themselves):
当然，防御者为这些HTML走私JavaScript工具创建了签名，以便可以通过网络检测到它们（而不是最终的有效载荷本身）：

Above are the detections of one such HTML smuggling project: EmbedInHTML. In practice, a NGFW’s detection for this type of payload would be much higher. The antiviruses on VirusTotal aren’t as geared towards detecting this type of threat. Even still, we have lots of unwanted detections.
以上是一个这样的HTML走私项目的检测：EmbedInHTML。在实践中，NGFW对此类有效载荷的检测会高得多。VirusTotal上的防病毒软件不是针对检测此类威胁的。即便如此，我们也有很多不需要的检测。

Flying under the radar…
在雷达下飞行…?

So, the defenders made a move. Now it’s the attacker’s turn: How might an attacker become fully undetectable (at least… for now)?
于是，防守方采取了行动。现在轮到攻击者了：攻击者如何变得完全无法检测到（至少……目前）？

Simple, just paste your payload into obfuscator.io then click the “Obfuscate” button!
很简单，只需将您的有效负载粘贴到 obfuscator.io 然后单击“混淆”按钮！

Pro tip: If you’re HTML smuggling a binary file (like an EXE or DLL) then definitely make sure to select the RC4 encryption option under String Array Encoding. This is necessary to remove any last bits of data that NGFWs might use to signal on. Detecting the structure of any executable file (with its MZ magic number and other PE/COFF structures) within JavaScript is a very strong heuristic and NGFWs will not like it if they see that…
专业提示：如果您要通过 HTML 走私二进制文件（如 EXE 或 DLL），请务必确保在 RC4 String Array Encoding .这对于删除 NGFW 可能用来发出信号的任何最后一点数据是必要的。在 JavaScript 中检测任何可执行文件的结构（及其 MZ 幻数和其他 PE/COFF 结构）是一种非常强大的启发式方法，如果 NGFW 看到它，他们不会喜欢它……

One might think that obfuscating JavaScript in this way would be a huge red flag to NGFWs and other detection software. This would be true in almost any other case like with extensive PowerShell obfuscation or packers for binaries (e.g. antiviruses tend to hate the UPX packer). However, in the world of JavaScript it’s very normal to see heavily minified and sometimes obfuscated scripts to keep file sizes as low as possible for the web and possibly to protect proprietary code. This makes blending in with the vast quantities of those already existing legitimate scripts a very successful strategy.
有人可能会认为，以这种方式混淆JavaScript对NGFW和其他检测软件来说是一个巨大的危险信号。这在几乎任何其他情况下都是如此，例如广泛的PowerShell混淆或二进制文件的打包程序（例如，防病毒软件倾向于讨厌UPX打包程序）。然而，在 JavaScript 的世界里，看到大量缩小的、有时是混淆的脚本来保持文件大小尽可能低的 Web 并可能保护专有代码是很正常的。这使得与大量已经存在的合法脚本混合成为一种非常成功的策略。

Response (UPDATE) 响应（更新） ?

Florian Roth (@cyb3rops), a well-known detection engineer in the security space, acknowledged this hole in detection two days after this post went live.
安全领域著名的检测工程师Florian Roth（@cyb3rops）在这篇文章上线两天后承认了这个检测漏洞。

Okay, I just checked and so far we have postet 96,387,836 comments on @Virustotal
好的，我刚刚检查了一下，到目前为止，我们已经发布了96，387，836条评论@Virustotal

( and we have deactivated some very good but very noisy rules, e.g. for JavaScript obfuscation, which would have triggered on this sample https://t.co/3niDn2OQLf ) pic.twitter.com/3eos9Gyv1a
（我们已经停用了一些非常好但非常嘈杂的规则，例如用于JavaScript混淆的规则，这会在此示例 https://t.co/3niDn2OQLf 触发）pic.twitter.com/3eos9Gyv1a

— Florian Roth (@cyb3rops) August 17, 2023
— 弗洛里安·罗斯 （@cyb3rops） 2023 年 8 月 17 日

A few years ago, when I first came across this method for evading detection, the original output from obfuscator.io did indeed get caught by VirusTotal. However, after applying my “pro tip” the sample was fully undetected.
几年前，当我第一次遇到这种逃避检测的方法时，obfuscator.io 的原始输出确实被 VirusTotal 捕获了。然而，在应用我的“专业提示”后，样品完全未被检测到。

Trying this method out again today, I wondered why my sample was fully undetected by VirusTotal even without my “pro tip”. After all, detection is supposed to get better over time, not worse! I’m glad to have this question answered now.
今天再次尝试这种方法，我想知道为什么即使没有我的“专业提示”，我的样本也完全没有被 VirusTotal 检测到。毕竟，检测应该随着时间的推移而变得更好，而不是更糟！我很高兴现在回答这个问题。

It’s my hope that Florian Roth and other engineers can improve the state of JavaScript detection to better protect organizations from compromise.
我希望Florian Roth和其他工程师能够改进JavaScript检测的状态，以更好地保护组织免受损害。

Info   信息
Detection software (such as antivirus, endpoint detection and response, and next-generation firewalls) should only be used as part of a more holisitc defense-in-depth security strategy. This is primarily because security through detection is a cat-and-mouse game. If ‘real’ security is what you want then have a look at my binary exploitation or Qubes OS content (upcoming).
检测软件（如防病毒、端点检测和响应以及下一代防火墙）只能用作更全面的纵深防御安全策略的一部分。这主要是因为通过检测实现安全性是一场猫捉老鼠的游戏。如果“真正的”安全性是您想要的，那么请查看我的二进制开发或Qubes OS内容（即将推出）。

原文始发于Elliot Killick：Creating Fully Undetectable JavaScript Payloads to Evade Next-Generation Firewalls