Attackers use different variations of Base64 encoding; the idea is to prevent the Base64 decoding tools from decoding the data successfully. In this section, you will understand some of these techniques.
Some malware samples remove the padding character (=) from the end. A C2 communication made by a malware sample (Trojan Qidmorks) is shown later. The following post payload looks like it is encoded with base64 encoding:
When you try to decode the POST payload, you get the Incorrect padding error as follows:
The reason for this error is that the length of the encoded string (150) is not multiples of 4. In other words, two characters are missing from the Base64-encoded data, which is very likely to be padding characters (==):
>>> encoded = "Q3VycmVudFZlcnNpb246IDYuMQ0KVXNlciBwcml2aWxlZ2llcyBsZXZlbDogMg0KUGFyZW50IHByb2Nlc3M6IFxEZXZpY2VcSGFyZGRpc2tWb2x1bWUxXFdpbmRvd3NcZXhwbG9yZXIuZXhlDQoNCg"
>>> len(encoded)
150
Appending two padding characters (==) to the encoded string successfully decodes the data, as shown here. From the decoded data, it can be seen that malware sends the operating system version (6.1 that represents Windows 7), the privilege level of the user, and the parent process to the C2 server:
Sometimes, malware authors use a slight variation of base64 encoding. For instance, an attacker can use a character set where characters - and _ are used in place of + and / (63rd and 64th characters) as shown here:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_
Once you identify the characters that are replaced in the original character set to encode the data, then you can use the code such as the one shown here. The idea here is to replace the modified characters back to the original characters in the standard character set and then decode it:
>>> import base64
>>> encoded = "cGFzc3dvcmQxMjM0IUA_PUB-"
>>> encoded = encoded.replace("-","+").replace("_","/")
>>> decoded = base64.b64decode(encoded)
>>> print decoded
password1234!@?=@~
Sometimes, malware authors alter the order of the characters in the character set. For example, they may use the following character set instead of the standard character set:
0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
When attackers use a nonstandard Base64 character set, you can decode the data using the following code. Note that in the following code, in addition to the 64 characters, the variables chr_set and non_chr_set also include the padding character = (65th character), which is required for proper decoding:
>>> import base64
>>> chr_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
>>> non_chr_set = "0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz="
>>> encoded = "G6JgP6w="
>>> re_encoded = ""
>>> for en_ch in encoded:
re_encoded += en_ch.replace(en_ch, chr_set[non_chr_set.find(en_ch)])
>>> decoded = base64.b64decode(re_encoded)
>>> print decoded
Hello
You can also perform custom Base64 decoding using the ConverterNET tool by selecting Conversions | Convert Custom Base64. Just enter the custom Base64 character set in the Alphabet field, and then enter the data to decode in the Input field and press the Decode button, as shown here:
