I received a piece of malware today and as one will do, I of course opened it up on my test machine. Like with a lot of phishing-types of emails, it was really just trying to get at a password (in this case it was a fake Office365 login). One thing that jumped out at me was that the payload was a bunch of base64 encoded blobs. The machine was offline, so I couldn’t use one of the many online decoders to see what it was doing. Thus, time to bust out the old openssl and base64 commands.
Let’s start with a quick example of encoding a string object into base64. We’ll use the openssl command to do this:
openssl enc -base64 <<< krypted
In the above command, we used the enc verb with the -base64 option. The <<< is a "here-string" that simulates text entry. So to then decode this string, we can use the following command:
openssl enc -base64 -d <<< a3J5cHRlZAo=
It's also possible to use the base64 command to decode a string:
base64 -d <<< a3J5cHRlZAo=
The traditional was to do this is to echo an encoded string into a base64 command and with the --decode option:
echo a3J5cHRlZAo= | base64 --decode
Another easy way to do some of this is to use the pastebin on a Mac. That helps as maybe we're just doing a cut-copy-paste. Here, we're just piping the pastebin via pbpaste into the same base64 command, as follows:
pbpaste | base64 --decode
What was crafty about this email, though, was that it was an encoded string, wrapped in an encoded string, wrapped in an encoded string, wrapped in an encoded string. Like a Russian doll. And it still rendered a pretty real-looking .htm with an Office365 password entry. Crafty and bypassed allllll the filters.