Data exfiltration and infiltration are two crucial tasks in Cybersecurity. Hackers mainly focus on data exfiltration since they usually operate to steal sensitive information. The exfiltration is carried out either by exporting data in its original form or altering its format using different techniques like Steganography. CloakifyFactory is one such tool that has the ability to conceal and reproduce data in its original form. The tool can transform data in any format (XML, HTML, TXT, etc.) into common strings that appear harmless to the security analysts or deployed security solutions like DLPs, Data whitelisting controls, AV solutions, etc. Besides exfiltration, CloakifyFactory can be used for data infiltration tasks, such as transporting the payloads to their destinations without triggering security alerts.
Ciphers and Noise generators are the two main components of CloakifyFactory. The ciphers allow the users to conceal and replace the original data file with one of the following pre-built cipher packages.
Apart from pre-packaged ciphers, CloakifyFactory allows the use of custom ciphers. Custom ciphers can be added using the following steps.
1) Create a list of words, phrases, or symbols without blank spaces or duplicate entries. There should be at least 66 words, phrases, or symbols.
2) Place the newly created list in the “ciphers” subdirectory.
3) Reload the CloakifyFactory to use the newly cipher options.
Frequency analysis is one of the common techniques used to decipher texts. To avoid the frequency analysis, CloakifyFactory has the noise generator feature that adds noisy data to the ciphertext to evade detection. The tool comes with the following noise-generator options.
- PrependTimestamps (Adds Timestamps to each entry in ciphertext)
- PrependLatLonCoords ( Adds random coordinates)
- prependEmoji (Adds random emoji)
- prependID (Adds random ids)
How to Install CloakifyFacory?
CloakifyFactory can be copied from Github using the following command. The tool does not have any specific requirements to operate.
git clone https://github.com/TryCatchHCF/Cloakify
How CloakifyFactory Operates?
The cloakifyFactory.py is the main Python file that loads the tool. We can run the coakifyFactory by executing this file from the tool’s directory. The file permissions for all Python files can be changed before running any other command.
chmod +x *.py
The above command loads the tool with the fowling main menu.
From the main menu, we can explore the available ciphers and noise generators before proceeding with the cloaking option.
Selecting the first (cloakify file) option prompts for the desired file (name and path) to conceal the information available in the file. The following examples demonstrate the working of CloakifyFactory in different scenarios.
Example #1: Concealing Data without Noise
Selecting the Cloakify File option from the main menu prompts users to enter the target File name and path in the terminal. In this example, the input file is a list of usernames and passwords that is stored in the Documents folder of the operating system.
The tool also requires the output file name that stores the input file data in a concealed manner. Let’s call the output file funny.txt.
In the next step, CloakifyFactory asks for the desired cipher to be used to conceal the input file data. We have selected the emoji cipher option from the list.
Once all necessary details are provided, the tool generates the ciphertext that can be previewed in the current interface window or in the output file.
Output File Content
Decrypting the Cipher File
The process of deciphering the file is similar to the cloaking method. Select the “Decloakify” file option from the main menu and repeat the aforementioned steps.
Example #2: Concealing Data with Noise
We can add noise (raw data) to the ciphertext by selecting one of the following available noise generation options.
The process of “decloakifying” the noisy ciphertext file is also similar to the “cloakifying” process. The users are asked to select the noise generator option that was used to create the cipher.
Example # 3: Concealing Payloads
The CloakifyFactory tool also has the tendency to conceal the payloads to evade the AV solutions. We have used Venom tool to generate a Windows payload.
The payload file was masked with the IP Addresses cipher from the CloakifyFactory ciphers list.
We have successfully obtained the original payload from the cipher file by following the “decloakify” steps.
CloakifyFactory can bypass AV’s, DLP’s, and other SIEM solutions that are deployed to control data exfiltration or intrusions. The support for a variety of input file types, simple output data formats, and custom ciphers addition options makes CloakifyFactory a powerful Cloakify Toolset.