👾
Malware Development Guide
  • 🚀Introduction
  • 🐤Baby Steps
    • 📔Pre-requisite Knowledge
    • What is Malware?
    • Programming Guide
    • Vulnerability Analysis
  • 👾Basic Malware
    • Fork Bombs
    • Logical Bombs
    • Zip Bombs
    • Keyloggers
    • Wipers
    • ScreenJackers
    • Prependers and Postpenders
    • What's Next?
  • 💀Intermediate Malware
    • Browser Extensions
    • Worms
    • RATs
  • ☠️Advanced Malware
    • Botnets w/ C2 Servers
    • Rootkits and Bootkits
    • Polymorphic Malware
  • Appendix
    • Pivoting
      • Windows: Effing Drivers
      • Windows: Abusing LSASS
    • Elementary Concepts and Stuff
      • Memory Representation
      • Expressions
    • Being Stealthy
      • UAC Evasion
      • OPSEC
      • Code Obfuscation
      • Signing Code and Binary Properties
      • Punycodes
    • Backdoors
    • Windows Process Injection
    • SIM Swapping
    • Quishing
    • RunPE
    • Malware Packers
    • Learning Resources
  • Updates n Stuff
  • Scratchpad
Powered by GitBook
On this page
  1. Appendix
  2. Being Stealthy

Punycodes

More like sneaky than "stealthy"

PreviousSigning Code and Binary PropertiesNextBackdoors

Last updated 1 year ago

TL;DR: Using alternate yet similar-looking characters in a URL, attackers can potentially exploit not-so-well-known features of URLs to trick users. Well... if they can do it, so can we! Using similar concepts, it's easy to trick people into downloading malware and/or running arbitrary code.

Wikipedia:

Punycode is a representation of Unicode with the limited character subset used for Internet . Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphens, which is called the letter–digit–hyphen (LDH) subset.

"Cool! So... what exactly do we use this stuff for?" I hear you ask. Well, it's not exactly malware malware material, instead, let me explain this using an example. I'd like you to take a moment and observe the difference between the following:

URL_1:     https://adidas.com/
URL_2:     https://αdidas.com/

Easy to spot, right? (the first a is replaced with a greek alpha: α) Now try this:

URL_1:     https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
URL_2:     https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1.27.1.zip

If you can't spot it, or if the characters look a bit messed up on your device, check . This is a relatively new thing so if you want a very in depth analysis, watch this:

References

https://en.wikipedia.org/wiki/Punycode
https://www.jamf.com/blog/punycode-attacks/
https://en.wikipedia.org/wiki/List_of_Unicode_characters
https://www.malwarebytes.com/blog/news/2023/05/zip-domains
ASCII
hostnames
this malwarebytes article