blankspace

UNC4990 obfuscation technique to hide payloads in a "blank" text file

I recently saw an article from Mandiant that covered this technique used by UNC4990 on which it sparked my interest to develop a script that obfuscates and deobfuscates based from this technique. Can be useful for red team engagements or if you encountered a "blank" text file that appears to be suspicious, you can use the decoding script to see the deobfuscated version.

NOTE: This script does not employ New line characters as spaces

Reference: https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware

⚠️ Disclaimer: Employing the methods and principles outlined in this repository to obtain unauthorized entry into systems without proper authorization is against the law. You are accountable for your conduct. Act responsibly and refrain from engaging in malicious activities. This is for educational purposes only.

Instructions: cantseeme.py

This script is to encode a text file from its ASCII format to "spaces" and "tabs".

1. Below is a sample text file that contains an obfuscated version of a reverse shell.

2. Use the script to convert the file from its ASCII format to "spaces" and "tabs".

3. Checking the output file, the reverse shell appears to be hidden as "spaces" and "tabs".

Instructions: iseeyou.py

This script is to decode a text file that contains "tabs" and "spaces" back to its ASCII format.

1. Below is a sample "blank" text file that contains "tabs" and "spaces".

2. Use the script to decode the "blank" text file back to its ASCII format.