24 C
Jaipur
Saturday, October 24, 2020

Macro Pack – Automatize Generation of Malicious Office Documents

Must read

US sanctions Russian institute linked to dangerous malware – Latest News

Washington imposed sanctions on a Russian research institute tied to the development of a dangerous computer program capable of causing catastrophic industrial damage, a...

Dell: Data is fuel, 5G fabric for digital transformation: Michael Dell – Latest News

Reiterating that technology has never been more central than it is in the pandemic times, Dell Technologies chairman and CEO Michael Dell has said...

8K TV: Samsung launches The 8K Festival with QLED 8K TVs

Samsung has launched 'The 8K Festival' under which its super premium QLED 8K TVs will be available at special prices with discounts. The...

Malware delivery trends change every day. For the last few years, we have observed various hacker groups like ( APT12 to Turla ) uses various techniques to deliver malware on the system or network.

One of the best technique hackers groups used is to write malicious code and obfuscate it and embed with Office documents and deliver to the victim through Social engineering ( Spearphishing Attachment ).

Lack of user awareness results with (Compromising the system to lateral movement in the network). Let’s check out the tool Macro pack to do some automation in embedding malicious code into Office Documents.

Here we have used Kali Linux(Attacker Machine) and Victim Machine (Windows 10)

You can Download the Macro Pack from GitHub.

Attacker Machine:-

Macro Pack
  • Metasploit is a very good tool to understand the attack logic and infect Word or Excel documents with malicious Metasploit payloads.
  • Let me generate the malicious VBA code with Msfvenom.
Macro Pack
  • Here I have crafted a payload for VBA which can be embedded into Office Document and once a victim opens a malicious DOCX file, reverse connection should connect back to attacker machine to access and control victim workstation on port 443.

Generation of Weaponized Document:

Macro Pack

-f = input-file=INPUT_FILE_PATH A VBA macro file or file containing params

-o = obfuscate Same as ‘–obfuscate-form –obfuscate-names –obfuscate-strings

-G = generate=OUTPUT_FILE_PATH.

  • Most anti-virus programs can easily read the attacker’s raw code and block, so I used -o parameter to obfuscate malicious VBA payload.
  • Decoding the obfuscated code is quite challenging for most Anti-virus vendors.
  • Now your Weaponized document is ready to fly!

Starting Metasploit:

  • As soon as the victim clicks the malicious document “hikeletter.docx”, Attacker should get full access to the victim workstation.

Attacker Accessing Victim Workstation:

  • Victim compromised and full access to the system obtained! Shell! Shell! Shell!
  • According to below MITRE ATT&CK Matrix, an attacker can do lateral movement to the exfiltration of data.
Macro Pack

Virus Total Analysis:

  • I have uploaded this file to Virus total and found detection for 29/60. Other vendors say this document as clean or undetected category.
Macro Pack
Macro Pack

File-less malware’s are challenging and evolving faster. Windows utility ( Powershell) is abused in later stages to run an executable on the system local storage or run the code into memory itself.

Implement best endpoint solutions, Email Security products to block unsolicited emails or files. Spread awareness to employees with internal phishing exercises.

Happy Hacking!

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

US sanctions Russian institute linked to dangerous malware – Latest News

Washington imposed sanctions on a Russian research institute tied to the development of a dangerous computer program capable of causing catastrophic industrial damage, a...

Dell: Data is fuel, 5G fabric for digital transformation: Michael Dell – Latest News

Reiterating that technology has never been more central than it is in the pandemic times, Dell Technologies chairman and CEO Michael Dell has said...

8K TV: Samsung launches The 8K Festival with QLED 8K TVs

Samsung has launched 'The 8K Festival' under which its super premium QLED 8K TVs will be available at special prices with discounts. The...

iPhone 12 Users Can Now Download OS Updates Over 5G Data

Apple finally introduced 5G support with the launch of its latest iPhone 12 series. Now, as iPhones support high-speed 5G networks, the Cupertino tech...