Base64 code in Malicious Macro
Hey People , how is everyone, today?
Let’s hack own VM machine again. Those who have seen my last post here: https://medium.com/@salim.y.salimov/how-a-hacker-can-get-access-to-your-computer-3090ed05a2d3 may found the process too long and too complicated .
This one will be kind of doing same process but taking a shortcut skipping some steps by using base64 code in the macro document.
Today I am not going go into details about installing any of the software I will be using but you can always check my previous posts or if you prefer some googling might help as well.
In previous posts were involved two malicious files to get the actual agent downloaded and executed in the victim’s system , now we are going to see how to do same process with single file combining the two files and codes into one VBA MACRO code in a word document.
Preparation:
- start caldera server and open the web interface
- login as red team
3.click on agents then deploy an agent
4. choose Sandcat/ caldera’s default agent that is using HTTP
5. put the Relevant IP addres and rename the agent as you want or just leave as default splunkd
6. copy the first generated code underneath and paste it in an empty document.
This is the code we need to put into a macro code but that would not work as it is too long , therefore what we need to do is to convert this code to BASE64 , split it into smaller bits and then we will be able to add it.
- For converting we can use this website https://www.base64decode.org/
- choose encode to base64 on the top
- copy the generated code from caldera and paste it in the input field
- choose UTF-16LE and tick split lines into 76 character wide chunks(could be working if split differently but have not tested that)
- then press ENCODE button and you get your code converted to base64 underneath in Output field
- copy the new code to empty text document to save this code for next step.
Creating malicious document :
- get a word document template or create one with microsoft office
2. open and click on view , macros then put some name and click create
3. leave the next page as it is and on the left side go in microsoft word objects and double click on “this document”
4. choose document and open in the two fields on the top
5. in between two lines in the second event we are going to place the malicious code In this format:
Dim X As String
X = “powershell.exe -enc “
X = X + “”
X = X + “”
X = X + “”
X = X + “”
Shell (X)
6. put the base 64 chunks/lines between the quotes marks
7. close the macro code editing window
8. save the word document as macro enabled document and close it
9. rename extension from .docm to .doc to make document look not too suspicious.
Lets now test it:
- transfer the document to a virtual windows machine for testing
- get back to caldera web interface on host machine
3. double click on the document in the virtual machine keeping eye on the caldera in host machine
This is just another way Attackers can use to get control over victim’s machine. Once agent is deployed he can run variety of commands and get full access to that machine.
I Hope that was interesting article ,as it’s always good to be able to see things from hackers point of view to be able to protect ourselves from what they can do. Thanks for reading and see you on my next post :).
