Printer Friendly



In the past few years of cyber world, cybercriminals are implementing new techniques to hide their malicious code inside other files in such a fashion that it is undetected by antivirus.. For it, they are using several complex infection processes than the previous one. As the technology changes, the new generation of cyber criminals are now putting their steps forward. They are now leaving traditional cybercrimes and using advance techniques where the malicious payload is hidden in encrypted files--which ever be the known file format. There are several example over internet in which cyber attacks or incidents shows that attackers are using sophisticated techniques.

In September 2016, Cisco talos-intel identified an exploitable out-of-bounds vulnerability present in the JPEG 2000 image file format parser which is implemented in OpenJPEG library and now identify by its TALOS-2016-0193 identification number or Common Vulnerabilities and Exposures CVE-2016-8332. This JPEG 2000 is a file format which is specially used for embedding images inside the PDF documents. This specific vulnerability is so dangerous that it allow attacker to write out-of-bound heap which include the heap corruption and then arbitrary code execution is possible [1]. In March 2016 Kaspersky Lab, catch a malicious payload hidden in the PNG file i.e. it is embedded with the PNG file. This attack starts with a simple phishing PDF [2].

Such types of incidents shows that now images over the internet are not seen as innocent. They now can be a medium to compromise the protected system. The attacker manipulate the images and these images are harmless until a trigger or input is given in the form of double click done by the user on that image which immediately start a malicious activity [3].

Researchers of Sucuri in July 2013 reported an incident where they found an backdoor present on a site that which was compromised. This backdoor did not depend on the normal patterns like base64 and gzip encoding which is used to hide the contents contained within it [3].

This backdoor is divided into two parts. Both of part are functions in which the first part is a mix of exif_read_data function which is used to read the image headers and the preg_replace function which is used to execute the content. both PHP functions are actually stored its data within the EXIF header location of a JPEG image.

$exif = exif_read_data('/homepages/clientsitepath/

images/stories/food/bun.j pg');


Both functions are harmless by themselves. However, pregreplace has a tricky and hidden options. On passing "/e" modifier it execute the content(eval), instead of just searching /replacing [3].On looking to bun.jpg file, second part of backdoor looks like:

yOya^@^PJFIF^@^A^B^@^@d^@d^@^@ ya^@! Exif^@^@II*^@^H^@^@^@^B^@^ O^A^B^@^F^@^@^@&^@^@^@^P^A^B^ @m^@^@^@,^@^@^@ ^@^@^@^@/.*/e^ @ eval ( base64_decode("aWYgKGl zc2V0K CRfUE9TVFsie noxIl0pKSB7ZXZhbChzdHJ pcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSk pO30='));@yi^@^QDucky^@^A^@^D^@^@ ^@<^@^@yi^@^NAdobe^

This types of incident show that, over internet, there are several freely available tools which are used to hide the malicious payload inside the images. FATRAT is one of them. It is a massive exploiting tool which is easy to understand and create backdoor. This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .This tool is used to post exploitation attack like browser attack, dll, bypass AV, etc. In this paper, We compile the malware and payload with the JPEG images and make it a malicious image. After it, analysis is done in our own malware analysis setup lab and show the result.

In this paper, we analyze the backdoor creator and demonstrate the Practical approach which are used by the security personals or researcher to find out the hidden files or proving the presence of hidden data inside the image.


The Fatrat is a massive exploiting tool [4]. It create backdoor for windows, linux, mac and android. It can bypass antivirus. It checks for metasploit service and start if not present. It is capable of crafting meterpreter reverse_tcp, start multiple meterpreter reverse_tcp listners. It uses the fast search in searchsploit and many more. The functions provided by the fatrat are:

1) Create backdoor with msfvenom

2) Create FUD 100% Backdoor [slow but powerfull ]

3) Create FUD Backdoor with Avoid 1.2

4) Create FUD 100% Backdoor with backdoor-factory [embed]

5) Backdooring Original apk [Instagram, Line, etc ]

6) Create Fud Backdoor 1000% with PwmWinds [Excelent]

7) Create Backdoor For office with Microsploit

8) Create auto listeners

9) Jump to msfconsole

10) Searchsploit

11) File Pumper [Increase Your Files Size]

12) Configure Default Lhost & Lport

13) Cleanup

The FATRAT facilitate the following facilities under different section shown below:-


Using FATRAT, several samples are created using different functionality provided and discussed previously:

Step 1: Hashing : A Fingerprint for malware-Hashing is used to uniquely identify malware. For it Message Digest Algorithm 5 (MD5) hash function is commonly used.

Output Hash :


Step 2: Finding Strings:

Output : Presence of powershell.exe in hidden mode detected Presence of Mingw detected but failed during execution

Step 3: Detecting Packers with PEiD

Output:- Sample is not packed with any kind of UPX, beside it on digging gets Magic literal: PE32 executable for MS Windows (GUI)

Step 4: Check PE Files Headers and Sections with Image file header

Final Output:

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2017-05-18 00:45:53

Entry Point 0x000014C0

Number of sections 15

Step 5: Analysis using IDA Pro. In this step, we show to difference of real genuine Image vs Malicious crafted coded Image.

Real Image :- As we see in IDA pro disassembler, there is no import or export funtions are used as it is a real genuine Image.

Malicious crafted coded Image.:- There are several import or export functions are used.

Same file but with Embedded codes

Step 7:- Opening shellcode As there are lots of Import functions hide inside the images and using on executing it.

Step 8 :- Analyzing the genuine Image vs Malicious crafted coded Image in Hex Editor Neo

During the searching of artifacts, we find out the attacker IP and powershell in hidden


Malicious payload which is hide using FATRAT are hard to detect & this scheme is generally used by the criminal to act maliciously in other area. For it, they generally used the various types of file format in which JPEG is the most innocent one. So, the challenges of scanning billions of image which are crossing the organization borders, irrelevant to their size, which are non-impacting anomalies are huge.

This provide an opportunity to the malware authors to take it as a advantage and using it to hide malicious code which leave an organization, stealthily send commands to infected victim and transferring various types of malwares across existing types of defenses. So as a researcher it is required to analyze such types samples and detect the images containing the malicious content in the real time scenario.


[1] Cisco, 2016, "Vulnerability Spotlight:OpenJPEG JPEG2000 mcc record Code Execution Vulnerability",Available at:< /security /talos/vulnerability-spotlight-jpeg2000>, [ Accessed on 19 Oct 2016].

[2] Securelist, 2016, " PNG Embedded--Malicious payload hidden in a PNG file", Available at: <Error! Hyperlink reference not valid.>, [Accessed on 20 Oct 2016].

[3] Sacuri, 2013, " Malware Hidden Inside JPG EXIF Headers", Available at: <Error! Hyperlink reference not valid.>, [Accessed on 2 Nov 2016].

[4] Fatrat, 2017, "The Fatrat", Available at: <>, [Accessed on 5/09/2016]

[5] Github, /25420100/9ee12cf6-2a80-11e7-8dfa-c2e3cfe71366.png

[6] Github, / 18483873/39d54372-7a10-11e6-890f-41803a33b9c9.png

[7] Github,

[8] Github,

(1) Rakesh singh kunwar, (2) Priyanka sharma, (3) K. V. Ravi kumar

(1,2,3) Raksha Shakti University, Gujarat, India

(1), (2), (3)
COPYRIGHT 2018 The Society of Digital Information and Wireless Communications
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2018 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Kunwar, Rakesh singh; Sharma, Priyanka; Kumar, K.V. Ravi
Publication:International Journal of Cyber-Security and Digital Forensics
Article Type:Report
Date:Jan 1, 2018
Previous Article:A Virtual Environment Forensic Tool.
Next Article:Audio Steganography via Cloud Services: Integrity Analysis of Hidden File.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters