A stager is a small piece of software that's typically used by malware to hide what's happening in the early stages of infection and to download a larger payload later.
We're going to explore how it works by creating a single line that downloads and runs potentially infinite lines of Python. An attacker could use this to hide a really suspicious, damaging payload in a way that a person who's just skimming through a new security tool might miss.
The way we're going to unpack this is by base-encoding our different commands in Base64 and then uploading it to a JSON object so we can pull it down, decode them, and run them one by one — all while keeping things within a single line of Python.
[embedded content]
Install or Update Python 3
To follow along, you'll need Python 3 installed on your computer. Not sure if you have it? Type python3 --version into a terminal window to find out.
~$ python3 --version Python 3.7.6
If you don't have the latest version of Python 3, do a sudo apt update and sudo apt install python3 in a terminal window.
~$ sudo apt update [sudo] password for kali:
Hit:1 http://kali.download/kali kali-rolling InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
1015 packages can be upgraded. Run 'apt list --upgradable' to see them. ~$ sudo apt install python3 Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required: dkms libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libpython3.7-dev linux-headers-amd64 python3.7-dev
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
...
Processing triggers for desktop-file-utils (0.24-1) ...
Processing triggers for mime-support (3.64) ...
Processing triggers for libc-bin (2.29-9) ...
Processing triggers fo ..
Support the originator by clicking the read the rest link below.
