TLDR
We got fed up with Google Safe Browsing, so we quickly whipped up a piece of code that fetches the origin, encodes it, and renders it for the user's browser. I remember that one time a few years back when it was an issue justified for us to get a script together to solve the problem. This makes it so we don't have to worry about it again.
This research is based on existing research by some of our peers in the Red Team and security testing industry. We're publishing our research to help other Red Team firms performing attack simulations better leverage these techniques to help their customers. The previously identified work utilized a Python script where you had to run it every time against a bunch of files and then serve it. With the solution in this blog post, we need to set up a Worker in front, and we're all good. All content fetched from your domain should be correctly dynamically encoded and proxied.
What is Google Safe Browsing?
Google SafeBrowsing is a service that runs in Chrome and checks if any website you visit is considered malicious. It checks against their safe browsing lists based on platform and threat types.
Although there has been an increase in the transition towards Edge, Microsoft has made it a Chromium browser; Chrome is still widely used by many organizations.
You can examine a website's status here: https://transparencyreport.google.com/safe-browsing/search
Prior Work
r-tec found that you could utilize Base64 encoding with a bit of JavaScript to bypass Google Safebrowsing detections. You can read more about their research here.
The idea of using redirectors and proxies for various operational aspects is already well documented in many "Red Team" training courses such as SANS SEC565, Dark Vortex's Red Team and Operational Security, Red Team Ops II, MDSec's Adversary Simulation and Red Team Tactics, and more.
Basic Red Team infrastructure design aspects, such as the use of redirectors, are well documented in Bluscreenofjeff's Red Team Infrastructure Wiki.
Automating Base64 Encoding of HTML Contents
As mentioned above, we figured why not make something more automatic? We don't want to be running a Python script every time. The first thought that came to mind was to write a Cloudflare Worker script, so we did.
We've never had much trouble with Safebrowsing; we're basing most of the research on what r-tec posted about. We've only encountered Safebrowsing being an issue once a few years back when sending a Gsuite phish to Google Workspace inboxes for phishing simulations. Most of our customers use Office 365, so we've never had many issues.
That said, the technique can also be used in another scenario to bypass various signatures or detections that web proxies such as ZScaler may be filtering on.
Cloudflare Worker
We wrote a script that grabs the origin from the specified IP address within Cloudflare, performs the necessary encoding, and wraps it around Javascript to decode in real time when loaded into the user's browser.
This currently doesn't work for images, and there is an allowlist for specific extensions such as .png, .jpg, etc.
The code can be obtained at https://gist.github.com/vysecurity/d5466db64f042c5f32a6e0329e39130b.
Make an index.html to test. Here, we just put "FOO."
After connecting to the server, we can see that it automatically takes the content it observes and performs the necessary encoding before wrapping it properly as we expected:
When viewing it without view-source, we can see that the text is rendered correctly by the JavaScript:
Now, we can test it again with a full HTML phishing page:
As we have the allowlist in the code, the images load correctly. This simple base submits data to a PHP page, which renders correctly after submission. Any static content, or even JavaScript code, can be encoded by this proxy.
Here's a small example of an HTML page with a wrapped JavaScript alert box:
When requested, the contents are as shown:
Output rendering in a browser:
Future Work
We already leverage a relatively advanced system but are beginning to publish various aspects to allow other Red Teams to leverage these techniques through the toolchains or horizontal toolchains that we are using.
Areas coming soon:
1) Encryption
2) Specify files to be served as downloads in the browser (HTML smuggling, automated)
References
https://www.r-tec.net/r-tec-blog-evade-signature-based-phishing-detections.html