Upon starting to work with Microsoft word macros, it became pretty obvious why malware hidden within macros have become so popular. It was incredibly easy to setup a macro to perform a function. These macros are primarily written within visual basic. Within the macro you can setup a function called Auto_Open to have it automatically run upon the document being opened. From there I was able to easily setup the macro to run PowerShell commands. From there I was able to set the macro up to download a file from online once the file is opened.
However, I didn’t want to stop at just just downloading a file from online. So I started up a Kali Linux virtual machine and proceeded to setup a reverse tcp shell connection. To begin I used the Social Engineering Toolkit (SET) to create a payload. In order to do this I opted for a “powershell alphanumeric shellcode injector.” I provided SET my VM’s local Ip address and a port number. SET then created a custom payload for me which I loaded up onto an apache webserver hosted upon the vm. Next I needed to set up the Metasploit framework to act as a listener for when someone would download and execute the payload. Upon starting up Metasploit, I set the proper ip and port to set up as a listener as well as directing the payload for a reverse_tcp connection. I then started up the listener within Metasploit. From here I updated the word document’s macros to download the payload, transferred the completed document to a test vm and opened it. I needed to allow Word access to macros, as you typically do with a fresh install of Microsoft Office, but then it executed the macros, and my Kali Linux vm had a shell setup within the test vm.
No comments:
Post a Comment